Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_Shippment_Notification_File1_TRK#92992.exe

Overview

General Information

Sample Name:DHL_Shippment_Notification_File1_TRK#92992.exe
Analysis ID:703288
MD5:ae1ece1ab35f950a1822c606a7c31468
SHA1:a03b8e19d1618de3b01f614fec4e7f2009a8d246
SHA256:c6dae959f8e5373c6ac8746cfd8227b8d8099b692ee726aacbe18ecf1479282e
Tags:AgentTeslaDHLexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • DHL_Shippment_Notification_File1_TRK#92992.exe (PID: 2088 cmdline: "C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe" MD5: AE1ECE1AB35F950A1822C606A7C31468)
    • MSBuild.exe (PID: 5504 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "marou.ouerghi@phossphea.com", "Password": "EpP@%mB2", "Host": "smtp.phossphea.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
        • 0x31064:$a3: MailAccountConfiguration
        • 0x3107d:$a5: SmtpAccountConfiguration
        • 0x31044:$a8: set_BindingAccountConfiguration
        • 0x2ffb1:$a11: get_securityProfile
        • 0x2fe52:$a12: get_useSeparateFolderTree
        • 0x317a7:$a13: get_DnsResolver
        • 0x30261:$a14: get_archivingScope
        • 0x30089:$a15: get_providerName
        • 0x32792:$a17: get_priority
        • 0x31d66:$a18: get_advancedParameters
        • 0x3117e:$a19: get_disabledByRestriction
        • 0x2fc28:$a20: get_LastAccessed
        • 0x302fb:$a21: get_avatarType
        • 0x31e7d:$a22: get_signaturePresets
        • 0x30923:$a23: get_enableLog
        • 0x30106:$a26: set_accountName
        • 0x322c8:$a27: set_InternalServerPort
        • 0x2f599:$a28: set_bindingConfigurationUID
        • 0x31e43:$a29: set_IdnAddress
        • 0x32646:$a30: set_GuidMasterKey
        • 0x30161:$a31: set_username
        00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x2ef1f:$s1: get_kbok
              • 0x2f853:$s2: get_CHoo
              • 0x304ae:$s3: set_passwordIsSet
              • 0x2ed23:$s4: get_enableLog
              • 0x333cb:$s8: torbrowser
              • 0x31da7:$s10: logins
              • 0x3171f:$s11: credential
              • 0x2e116:$g1: get_Clipboard
              • 0x2e124:$g2: get_Keyboard
              • 0x2e131:$g3: get_Password
              • 0x2f701:$g4: get_CtrlKeyDown
              • 0x2f711:$g5: get_ShiftKeyDown
              • 0x2f722:$g6: get_AltKeyDown
              0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2f464:$a3: MailAccountConfiguration
              • 0x2f47d:$a5: SmtpAccountConfiguration
              • 0x2f444:$a8: set_BindingAccountConfiguration
              • 0x2e3b1:$a11: get_securityProfile
              • 0x2e252:$a12: get_useSeparateFolderTree
              • 0x2fba7:$a13: get_DnsResolver
              • 0x2e661:$a14: get_archivingScope
              • 0x2e489:$a15: get_providerName
              • 0x30b92:$a17: get_priority
              • 0x30166:$a18: get_advancedParameters
              • 0x2f57e:$a19: get_disabledByRestriction
              • 0x2e028:$a20: get_LastAccessed
              • 0x2e6fb:$a21: get_avatarType
              • 0x3027d:$a22: get_signaturePresets
              • 0x2ed23:$a23: get_enableLog
              • 0x2e506:$a26: set_accountName
              • 0x306c8:$a27: set_InternalServerPort
              • 0x2d999:$a28: set_bindingConfigurationUID
              • 0x30243:$a29: set_IdnAddress
              • 0x30a46:$a30: set_GuidMasterKey
              • 0x2e561:$a31: set_username
              1.0.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 20 entries

                Sigma Signatures

                Networking

                barindex
                Sigma detected: MSBuild connects to smtp port
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 5504, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49756

                Snort Signatures

                Timestamp:192.168.2.3208.91.198.143497565872840032 09/15/22-09:39:04.357043
                SID:2840032
                Source Port:49756
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3208.91.198.143497565872030171 09/15/22-09:39:04.356923
                SID:2030171
                Source Port:49756
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3208.91.198.143497565872851779 09/15/22-09:39:04.357043
                SID:2851779
                Source Port:49756
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3208.91.198.143497565872839723 09/15/22-09:39:04.356923
                SID:2839723
                Source Port:49756
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Machine Learning detection for sample
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeJoe Sandbox ML: detected
                Source: 1.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 1.0.MSBuild.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "marou.ouerghi@phossphea.com", "Password": "EpP@%mB2", "Host": "smtp.phossphea.com"}
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49756 -> 208.91.198.143:587
                Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49756 -> 208.91.198.143:587
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49756 -> 208.91.198.143:587
                Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49756 -> 208.91.198.143:587
                Yara detected Generic Downloader
                Source: Yara matchFile source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPE
                Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                Source: global trafficTCP traffic: 192.168.2.3:49756 -> 208.91.198.143:587
                Source: global trafficTCP traffic: 192.168.2.3:49756 -> 208.91.198.143:587
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 23.50.106.206
                Source: unknownTCP traffic detected without corresponding DNS query: 23.50.106.206
                Source: unknownTCP traffic detected without corresponding DNS query: 23.50.106.206
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 23.35.237.194
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 178.79.242.0
                Source: unknownTCP traffic detected without corresponding DNS query: 178.79.242.0
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 20.199.120.151
                Source: unknownTCP traffic detected without corresponding DNS query: 20.199.120.151
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 20.199.120.151
                Source: unknownTCP traffic detected without corresponding DNS query: 20.199.120.151
                Source: MSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: MSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.253317969.0000000005384000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: MSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hGabWS.com
                Source: MSBuild.exe, 00000001.00000002.521960498.00000000032A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.phossphea.com
                Source: MSBuild.exe, 00000001.00000002.522163112.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.522069418.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.521387791.000000000324C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://support.mailhostbox.com/email-administrators-guide-error-codes/
                Source: MSBuild.exe, 00000001.00000002.521960498.00000000032A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256375119.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256216319.000000000538E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256216319.000000000538E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256375119.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comueF
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.261926018.0000000005387000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.261828021.0000000005386000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.275655212.0000000005380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcoma
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.275655212.0000000005380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comionoz
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255588553.0000000005385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255679482.000000000538B000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255588553.0000000005385000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255679482.000000000538B000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256071956.0000000005386000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255908003.000000000538E000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255775479.0000000005383000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255842864.000000000538D000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.276075299.0000000000597000.00000004.00000020.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.krFc
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/u
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s_trh
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tu
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.252597277.000000000539B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comTF
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.252597277.000000000539B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr.kr
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr4
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTFz
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255692889.0000000005382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comNorm
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.253381410.0000000005384000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.253381410.0000000005384000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net:
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256152857.0000000005385000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256375119.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256216319.000000000538E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256152857.0000000005385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                Source: MSBuild.exe, 00000001.00000002.521863996.000000000329E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ZXnohkADwCrkK9XFdZI.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: MSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: unknownDNS traffic detected: queries for: smtp.phossphea.com

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: DHL_Shippment_Notification_File1_TRK#92992.exe PID: 2088, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                .NET source code contains very large array initializations
                Source: 1.0.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bEC398326u002d75D0u002d4C9Eu002dAE6Du002dDF28D1FDAC04u007d/u00367652608u002dD25Cu002d4A4Cu002dA5F8u002dF1C8C9C57E68.csLarge array initialization: .cctor: array initializer size 11937
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: DHL_Shippment_Notification_File1_TRK#92992.exe PID: 2088, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeCode function: 0_2_0237E6900_2_0237E690
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeCode function: 0_2_0237C2440_2_0237C244
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeCode function: 0_2_0237E6800_2_0237E680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_013646A01_2_013646A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_013646301_2_01364630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_013646901_2_01364690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0136D2E11_2_0136D2E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015609101_2_01560910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01564AD81_2_01564AD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0156D3781_2_0156D378
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015673D81_2_015673D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015697181_2_01569718
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0156BA781_2_0156BA78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01569EA01_2_01569EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015654501_2_01565450
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015634301_2_01563430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157B6181_2_0157B618
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015765E01_2_015765E0
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000000.249352605.0000000000012000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemQstcs.exeL vs DHL_Shippment_Notification_File1_TRK#92992.exe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.294035854.0000000006C40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs DHL_Shippment_Notification_File1_TRK#92992.exe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameewGZpXyfvZrYFVQpPowkwWoYE.exe4 vs DHL_Shippment_Notification_File1_TRK#92992.exe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs DHL_Shippment_Notification_File1_TRK#92992.exe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.277993136.000000000257D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameewGZpXyfvZrYFVQpPowkwWoYE.exe4 vs DHL_Shippment_Notification_File1_TRK#92992.exe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeBinary or memory string: OriginalFilenamemQstcs.exeL vs DHL_Shippment_Notification_File1_TRK#92992.exe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe "C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe"
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Shippment_Notification_File1_TRK#92992.exe.logJump to behavior
                Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@3/1@2/1
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: 1.0.MSBuild.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 1.0.MSBuild.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic file information: File size 1113600 > 1048576
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10f400
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, GreenPixelsCalculator/FormPixel.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.DHL_Shippment_Notification_File1_TRK#92992.exe.10000.0.unpack, GreenPixelsCalculator/FormPixel.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: 0xF3BCEC5A [Sat Aug 1 05:19:22 2099 UTC]
                Source: initial sampleStatic PE information: section name: .text entropy: 7.239736670767991
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: DHL_Shippment_Notification_File1_TRK#92992.exe PID: 2088, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAMETSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONSFSELECT * FROM WIN32_VIDEOCONTROLLER
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe TID: 5420Thread sleep time: -41226s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe TID: 1360Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4124Thread sleep count: 31 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4124Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1964Thread sleep count: 9861 > 30Jump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 9861Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeThread delayed: delay time: 41226Jump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBOXDSOFTWARE\VMware, Inc.\VMware Tools
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\6HARDWARE\Description\System"SystemBiosVersion
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUNSYSTEM\ControlSet001\Services\Disk\Enum
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: MSBuild.exe, 00000001.00000003.498523950.000000000618A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.525090001.000000000618E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0156E1A8 LdrInitializeThunk,1_2_0156E1A8
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: DHL_Shippment_Notification_File1_TRK#92992.exe PID: 2088, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: Yara matchFile source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: DHL_Shippment_Notification_File1_TRK#92992.exe PID: 2088, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception11
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		211
                Security Software Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium12
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		1
                Credentials in Registry                		1
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares2
                Data from Local System                		Automated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer12
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Obfuscated Files or Information                		Cached Domain Credentials114
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                Software Packing                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                Timestomp                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                DHL_Shippment_Notification_File1_TRK#92992.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                1.0.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                smtp.phossphea.com1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cnp0%URL Reputationsafe
                http://www.typography.net0%URL Reputationsafe
                http://www.fontbureau.comcom0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.carterandcone.como.0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.fontbureau.comcoma0%URL Reputationsafe
                http://www.sajatypeworks.comt0%URL Reputationsafe
                http://www.sajatypeworks.comTF0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/u0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/=0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/u0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.zhongyicts.com.cno.0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/c0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.goodfont.co.krFc0%Avira URL Cloudsafe
                http://www.typography.net:0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/tu0%Avira URL Cloudsafe
                http://www.carterandcone.comueF0%Avira URL Cloudsafe
                http://www.sandoll.co.kr.kr0%Avira URL Cloudsafe
                http://www.sandoll.co.krN.TTFz0%Avira URL Cloudsafe
                http://www.sandoll.co.kr40%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/s_trh0%Avira URL Cloudsafe
                http://smtp.phossphea.com0%Avira URL Cloudsafe
                http://www.fontbureau.comionoz0%Avira URL Cloudsafe
                https://ZXnohkADwCrkK9XFdZI.com0%Avira URL Cloudsafe
                http://www.tiro.comNorm0%Avira URL Cloudsafe
                http://hGabWS.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                us2.smtp.mailhostbox.com
                		208.91.198.143
                		truefalse
                  		high
                  smtp.phossphea.com
                  		unknown
                  		unknowntrueunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1MSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.fontbureau.com/designersGDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.goodfont.co.krFcDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers/?DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://us2.smtp.mailhostbox.comMSBuild.exe, 00000001.00000002.521960498.00000000032A4000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sandoll.co.kr4DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers?DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/s_trhDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255692889.0000000005382000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.sandoll.co.krN.TTFzDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.goodfont.co.krDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256375119.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256216319.000000000538E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cTheDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/:DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.276075299.0000000000597000.00000004.00000020.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.253317969.0000000005384000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnpDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255679482.000000000538B000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256071956.0000000005386000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255908003.000000000538E000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255775479.0000000005383000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255842864.000000000538D000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comueFDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256375119.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.typography.netDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.253381410.0000000005384000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comcomDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.261926018.0000000005387000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.261828021.0000000005386000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.net:DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.253381410.0000000005384000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sandoll.co.kr.krDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fonts.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sandoll.co.krDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleaseDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256152857.0000000005385000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256375119.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256216319.000000000538E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.como.DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256216319.000000000538E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sakkal.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/tuDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://smtp.phossphea.comMSBuild.exe, 00000001.00000002.521960498.00000000032A4000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://DynDns.comDynDNSMSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comcomaDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.275655212.0000000005380000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comtDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.252597277.000000000539B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comTFDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.252597277.000000000539B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haMSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/FDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/uDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/=DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255679482.000000000538B000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255588553.0000000005385000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/zDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://support.mailhostbox.com/email-administrators-guide-error-codes/MSBuild.exe, 00000001.00000002.522163112.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.522069418.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.521387791.000000000324C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cnDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255588553.0000000005385000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/uDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://ZXnohkADwCrkK9XFdZI.comMSBuild.exe, 00000001.00000002.521863996.000000000329E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comionozDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.275655212.0000000005380000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.zhongyicts.com.cno.DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256152857.0000000005385000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.tiro.comNormDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/cDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://hGabWS.comMSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          208.91.198.143
                                          		us2.smtp.mailhostbox.comUnited States
                                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                          General Information

                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                          Analysis ID:703288
                                          Start date and time:2022-09-15 09:36:13 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 7m 11s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:DHL_Shippment_Notification_File1_TRK#92992.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:23
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.spre.troj.spyw.evad.winEXE@3/1@2/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 54
                                          • Number of non-executed functions: 1
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.50.105.163, 20.31.108.18, 80.67.82.235, 80.67.82.211, 209.197.3.8, 20.199.120.182, 20.234.34.18, 104.214.104.116, 20.199.120.85
                                          • Excluded domains from analysis (whitelisted): asf-ris-prod-scus-azsc.southcentralus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, iris-de-prod-azsc-weu-b.westeurope.cloudapp.azure.com, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu-bg-shim.trafficmanager.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, e16604.g.akamaiedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, ris-prod-eudb.trafficmanager.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          09:37:16API Interceptor1x Sleep call for process: DHL_Shippment_Notification_File1_TRK#92992.exe modified
                                          09:37:32API Interceptor692x Sleep call for process: MSBuild.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          208.91.198.143Dynatect Quoting-SP 6048-1.exeGet hashmaliciousBrowse
                                            yp4Lcb8iNuoakvV.exeGet hashmaliciousBrowse
                                              78JbpvX5I2.exeGet hashmaliciousBrowse
                                                26082022Mga detalye ng pagbabayad_PDF.exeGet hashmaliciousBrowse
                                                  RzNYM7YvjV.exeGet hashmaliciousBrowse
                                                    Bank Slip.exeGet hashmaliciousBrowse
                                                      PO.exeGet hashmaliciousBrowse
                                                        TRANSFERENCIA 112987.17.jsGet hashmaliciousBrowse
                                                          PO_FRUITILEGBH200220815.exeGet hashmaliciousBrowse
                                                            #U8a62#U50f9 5000649.exeGet hashmaliciousBrowse
                                                              SecuriteInfo.com.W32.AIDetectNet.01.4726.exeGet hashmaliciousBrowse
                                                                Order Inquiry List.exeGet hashmaliciousBrowse
                                                                  Payment slip #59221301.exeGet hashmaliciousBrowse
                                                                    Document.exeGet hashmaliciousBrowse
                                                                      SecuriteInfo.com.Trojan.Olock.1.1431.exeGet hashmaliciousBrowse
                                                                        DOC_6000019430_AUGUST2022.EXEGet hashmaliciousBrowse
                                                                          PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                            PAYMENT ADVICE.exeGet hashmaliciousBrowse
                                                                              Doc_Requisition Quote_JULY2022.exeGet hashmaliciousBrowse
                                                                                pdf.exeGet hashmaliciousBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  us2.smtp.mailhostbox.comDynatect Quoting-SP 6048-1.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  PO080M2022.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  GtkmlwjtDuBs57n.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  gs3TdJOr4H.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  SecuriteInfo.com.Win32.PWSX-gen.7505.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  or22fuJ5syXer7N.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  SOA Shenzhen H&O International Pdf.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  kZBnWfdiFSc3EzW.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  PmXNEivvO5NiSJh.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  yp4Lcb8iNuoakvV.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  DHLTracking_File02092022N289282100000.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  SecuriteInfo.com.Trojan.PackedNET.1505.29145.25484.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  LGri43t5b5MMet7.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  23082022Paymentdetails_PDF.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  Curriculum vitae.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  Ordem de compra.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  RFQ-6066789.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  78JbpvX5I2.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  CV.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  26082022Mga detalye ng pagbabayad_PDF.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  PUBLIC-DOMAIN-REGISTRYUSConfirmation transfer Copy MT103 02426.jsGet hashmaliciousBrowse
                                                                                  • 103.53.40.15
                                                                                  Dynatect Quoting-SP 6048-1.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                                  • 162.215.240.200
                                                                                  EMss.N1.cSoZ.jsGet hashmaliciousBrowse
                                                                                  • 103.50.163.157
                                                                                  PO080M2022.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  Item List_RFQ 42723.exeGet hashmaliciousBrowse
                                                                                  • 199.79.62.20
                                                                                  IMAGESCANDOCUMENTSFILE5656HU.exeGet hashmaliciousBrowse
                                                                                  • 199.79.62.221
                                                                                  GtkmlwjtDuBs57n.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  Confirmation transfer Copy MT103 00162426.jsGet hashmaliciousBrowse
                                                                                  • 103.53.40.15
                                                                                  k9FVGvrYfH.exeGet hashmaliciousBrowse
                                                                                  • 199.79.62.221
                                                                                  k9FVGvrYfH.exeGet hashmaliciousBrowse
                                                                                  • 199.79.62.221
                                                                                  gs3TdJOr4H.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  SecuriteInfo.com.Win32.PWSX-gen.7505.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  Swift Copy.exeGet hashmaliciousBrowse
                                                                                  • 103.195.185.115
                                                                                  Confirmation transfer Copy MT103 Ref-101019906.jsGet hashmaliciousBrowse
                                                                                  • 103.53.40.15
                                                                                  SOA Shenzhen H&O International Pdf.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  kZBnWfdiFSc3EzW.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  PmXNEivvO5NiSJh.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  yp4Lcb8iNuoakvV.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  Proforma Invoice.exeGet hashmaliciousBrowse
                                                                                  • 103.195.185.115

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Shippment_Notification_File1_TRK#92992.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1308
                                                                                  Entropy (8bit):5.345811588615766
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                                  MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                                  SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                                  SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                                  SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                                  Malicious:true
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):7.2345776578337535
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  File name:DHL_Shippment_Notification_File1_TRK#92992.exe
                                                                                  File size:1113600
                                                                                  MD5:ae1ece1ab35f950a1822c606a7c31468
                                                                                  SHA1:a03b8e19d1618de3b01f614fec4e7f2009a8d246
                                                                                  SHA256:c6dae959f8e5373c6ac8746cfd8227b8d8099b692ee726aacbe18ecf1479282e
                                                                                  SHA512:ce3a0f0a7d53079431a2d71233bf3dbfa37151d3ebccffd1a63f5521b8bf451e1396fc17b9febc7ffeb156462344a4b657ea12cd799de0341706cb9cb8f1ae97
                                                                                  SSDEEP:12288:rdgvgZ2hNxedCcbbRZJsP+Jz7P7O77OKJDszIeQUq3MnemCj1XrNYATi+U/L:Z+Uyelbj2Enz4yKVa2cXC5rSCe
                                                                                  TLSH:4C35F1281666C90AC8AAA574DCD2F2711E685DD1836FC74B08EC3C7BF27738C6D913A5
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.................0.............".... ... ....@.. .......................`............@................................

                                                                                  File Icon

                                                                                  Icon Hash:00828e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x511322
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0xF3BCEC5A [Sat Aug 1 05:19:22 2099 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1112d00x4f.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1120000x5d4.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1140000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x1112b40x1c.text
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000x10f3280x10f400False0.7842003888248847data7.239736670767991IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x1120000x5d40x600False0.427734375data4.136423920181342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x1140000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_VERSION0x1120900x344data
                                                                                  RT_MANIFEST0x1123e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Network Behavior

                                                                                  Snort IDS Alerts

                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                  192.168.2.3208.91.198.143497565872840032 09/15/22-09:39:04.357043TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249756587192.168.2.3208.91.198.143
                                                                                  192.168.2.3208.91.198.143497565872030171 09/15/22-09:39:04.356923TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49756587192.168.2.3208.91.198.143
                                                                                  192.168.2.3208.91.198.143497565872851779 09/15/22-09:39:04.357043TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49756587192.168.2.3208.91.198.143
                                                                                  192.168.2.3208.91.198.143497565872839723 09/15/22-09:39:04.356923TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49756587192.168.2.3208.91.198.143

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Sep 15, 2022 09:37:02.762892008 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:02.762964964 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:02.763011932 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:02.763046026 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:02.763078928 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:02.763102055 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:02.763114929 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:02.763134003 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:02.763148069 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:02.763164043 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:02.780224085 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780261993 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780287981 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780312061 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780338049 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780360937 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780534983 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780560017 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780584097 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780608892 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780709982 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780756950 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780782938 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780874014 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780961990 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.780997038 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781021118 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781112909 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781138897 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781328917 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781354904 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781436920 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781462908 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781485081 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781779051 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781809092 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781917095 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781943083 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.781965017 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.782001972 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.782236099 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.782264948 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.782289028 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.782375097 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:02.782404900 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.782432079 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.782454967 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.782479048 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.782608986 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.782638073 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783195019 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783219099 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783241987 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783266068 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783288956 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783313036 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783335924 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:02.783337116 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783431053 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783457041 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783479929 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783503056 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783674002 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783698082 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783723116 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783745050 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783790112 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.783813953 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.830828905 CEST44349720204.79.197.200192.168.2.3
                                                                                  Sep 15, 2022 09:37:02.831214905 CEST49720443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:50.769051075 CEST804968593.184.220.29192.168.2.3
                                                                                  Sep 15, 2022 09:37:50.772986889 CEST4968580192.168.2.393.184.220.29
                                                                                  Sep 15, 2022 09:37:52.752085924 CEST49693443192.168.2.323.50.106.206
                                                                                  Sep 15, 2022 09:37:52.786793947 CEST4434969323.50.106.206192.168.2.3
                                                                                  Sep 15, 2022 09:37:52.786825895 CEST4434969323.50.106.206192.168.2.3
                                                                                  Sep 15, 2022 09:37:52.786901951 CEST49693443192.168.2.323.50.106.206
                                                                                  Sep 15, 2022 09:37:52.786959887 CEST49693443192.168.2.323.50.106.206
                                                                                  Sep 15, 2022 09:37:52.871049881 CEST804969093.184.220.29192.168.2.3
                                                                                  Sep 15, 2022 09:37:52.871154070 CEST4969080192.168.2.393.184.220.29
                                                                                  Sep 15, 2022 09:37:53.315464973 CEST49683443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:53.315571070 CEST49684443192.168.2.3204.79.197.200
                                                                                  Sep 15, 2022 09:37:53.315814972 CEST4968580192.168.2.393.184.220.29
                                                                                  Sep 15, 2022 09:37:53.331041098 CEST49689443192.168.2.323.35.237.194
                                                                                  Sep 15, 2022 09:37:53.331247091 CEST4969080192.168.2.393.184.220.29
                                                                                  Sep 15, 2022 09:37:53.957889080 CEST8049711178.79.242.0192.168.2.3
                                                                                  Sep 15, 2022 09:37:53.958055973 CEST4971180192.168.2.3178.79.242.0
                                                                                  Sep 15, 2022 09:37:53.958085060 CEST4971180192.168.2.3178.79.242.0
                                                                                  Sep 15, 2022 09:37:53.986481905 CEST8049711178.79.242.0192.168.2.3
                                                                                  Sep 15, 2022 09:37:54.040400982 CEST804970893.184.220.29192.168.2.3
                                                                                  Sep 15, 2022 09:37:54.040591002 CEST4970880192.168.2.393.184.220.29
                                                                                  Sep 15, 2022 09:37:54.449733019 CEST49715443192.168.2.320.199.120.151
                                                                                  Sep 15, 2022 09:37:54.478545904 CEST4434971520.199.120.151192.168.2.3
                                                                                  Sep 15, 2022 09:37:54.530620098 CEST49715443192.168.2.320.199.120.151
                                                                                  Sep 15, 2022 09:37:55.723659992 CEST804971493.184.220.29192.168.2.3
                                                                                  Sep 15, 2022 09:37:55.723777056 CEST4971480192.168.2.393.184.220.29
                                                                                  Sep 15, 2022 09:37:55.733139038 CEST804971293.184.221.240192.168.2.3
                                                                                  Sep 15, 2022 09:37:55.733292103 CEST4971280192.168.2.393.184.221.240
                                                                                  Sep 15, 2022 09:38:35.904993057 CEST4971480192.168.2.393.184.220.29
                                                                                  Sep 15, 2022 09:38:35.922214031 CEST804971493.184.220.29192.168.2.3
                                                                                  Sep 15, 2022 09:38:35.922348022 CEST4971480192.168.2.393.184.220.29
                                                                                  Sep 15, 2022 09:38:43.582127094 CEST4970880192.168.2.393.184.220.29
                                                                                  Sep 15, 2022 09:38:43.582217932 CEST4971280192.168.2.393.184.221.240
                                                                                  Sep 15, 2022 09:38:43.599730968 CEST804971293.184.221.240192.168.2.3
                                                                                  Sep 15, 2022 09:38:43.599865913 CEST4971280192.168.2.393.184.221.240
                                                                                  Sep 15, 2022 09:38:43.601295948 CEST804970893.184.220.29192.168.2.3
                                                                                  Sep 15, 2022 09:38:43.601429939 CEST4970880192.168.2.393.184.220.29
                                                                                  Sep 15, 2022 09:38:54.453660965 CEST49715443192.168.2.320.199.120.151
                                                                                  Sep 15, 2022 09:38:54.481374979 CEST4434971520.199.120.151192.168.2.3
                                                                                  Sep 15, 2022 09:38:54.535696030 CEST49715443192.168.2.320.199.120.151
                                                                                  Sep 15, 2022 09:39:02.855232000 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:03.019243956 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:03.019401073 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:03.335588932 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:03.336009979 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:03.498748064 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:03.498826981 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:03.500922918 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:03.666688919 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:03.667407990 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:03.835633993 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:03.836508989 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:04.001338005 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:04.001666069 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:04.189774036 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:04.190390110 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:04.354229927 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:04.356923103 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:04.357043028 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:04.357719898 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:04.357810974 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:04.519874096 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:04.520318031 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:04.524334908 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:04.534440041 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:04.698221922 CEST58749756208.91.198.143192.168.2.3
                                                                                  Sep 15, 2022 09:39:04.698324919 CEST49756587192.168.2.3208.91.198.143
                                                                                  Sep 15, 2022 09:39:07.068054914 CEST44349720204.79.197.200192.168.2.3

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Sep 15, 2022 09:39:02.417979956 CEST5869153192.168.2.38.8.8.8
                                                                                  Sep 15, 2022 09:39:02.614197969 CEST53586918.8.8.8192.168.2.3
                                                                                  Sep 15, 2022 09:39:02.631535053 CEST5330553192.168.2.38.8.8.8
                                                                                  Sep 15, 2022 09:39:02.835714102 CEST53533058.8.8.8192.168.2.3

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Sep 15, 2022 09:39:02.417979956 CEST192.168.2.38.8.8.80x3c63Standard query (0)smtp.phossphea.comA (IP address)IN (0x0001)
                                                                                  Sep 15, 2022 09:39:02.631535053 CEST192.168.2.38.8.8.80xf9cdStandard query (0)smtp.phossphea.comA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Sep 15, 2022 09:39:02.614197969 CEST8.8.8.8192.168.2.30x3c63No error (0)smtp.phossphea.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                  Sep 15, 2022 09:39:02.614197969 CEST8.8.8.8192.168.2.30x3c63No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                  Sep 15, 2022 09:39:02.614197969 CEST8.8.8.8192.168.2.30x3c63No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                  Sep 15, 2022 09:39:02.614197969 CEST8.8.8.8192.168.2.30x3c63No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                  Sep 15, 2022 09:39:02.614197969 CEST8.8.8.8192.168.2.30x3c63No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                  Sep 15, 2022 09:39:02.835714102 CEST8.8.8.8192.168.2.30xf9cdNo error (0)smtp.phossphea.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                  Sep 15, 2022 09:39:02.835714102 CEST8.8.8.8192.168.2.30xf9cdNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                  Sep 15, 2022 09:39:02.835714102 CEST8.8.8.8192.168.2.30xf9cdNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                  Sep 15, 2022 09:39:02.835714102 CEST8.8.8.8192.168.2.30xf9cdNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                  Sep 15, 2022 09:39:02.835714102 CEST8.8.8.8192.168.2.30xf9cdNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)

                                                                                  SMTP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                  Sep 15, 2022 09:39:03.335588932 CEST58749756208.91.198.143192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                  Sep 15, 2022 09:39:03.336009979 CEST49756587192.168.2.3208.91.198.143EHLO 536720
                                                                                  Sep 15, 2022 09:39:03.498826981 CEST58749756208.91.198.143192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                  250-PIPELINING
                                                                                  250-SIZE 41648128
                                                                                  250-VRFY
                                                                                  250-ETRN
                                                                                  250-STARTTLS
                                                                                  250-AUTH PLAIN LOGIN
                                                                                  250-AUTH=PLAIN LOGIN
                                                                                  250-ENHANCEDSTATUSCODES
                                                                                  250-8BITMIME
                                                                                  250-DSN
                                                                                  250 CHUNKING
                                                                                  Sep 15, 2022 09:39:03.500922918 CEST49756587192.168.2.3208.91.198.143AUTH login bWFyb3Uub3VlcmdoaUBwaG9zc3BoZWEuY29t
                                                                                  Sep 15, 2022 09:39:03.666688919 CEST58749756208.91.198.143192.168.2.3334 UGFzc3dvcmQ6
                                                                                  Sep 15, 2022 09:39:03.835633993 CEST58749756208.91.198.143192.168.2.3235 2.7.0 Authentication successful
                                                                                  Sep 15, 2022 09:39:03.836508989 CEST49756587192.168.2.3208.91.198.143MAIL FROM:<marou.ouerghi@phossphea.com>
                                                                                  Sep 15, 2022 09:39:04.001338005 CEST58749756208.91.198.143192.168.2.3250 2.1.0 Ok
                                                                                  Sep 15, 2022 09:39:04.001666069 CEST49756587192.168.2.3208.91.198.143RCPT TO:<marou.ouerghi@phossphea.com>
                                                                                  Sep 15, 2022 09:39:04.189774036 CEST58749756208.91.198.143192.168.2.3250 2.1.5 Ok
                                                                                  Sep 15, 2022 09:39:04.190390110 CEST49756587192.168.2.3208.91.198.143DATA
                                                                                  Sep 15, 2022 09:39:04.354229927 CEST58749756208.91.198.143192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                  Sep 15, 2022 09:39:04.357810974 CEST49756587192.168.2.3208.91.198.143.
                                                                                  Sep 15, 2022 09:39:04.524334908 CEST58749756208.91.198.143192.168.2.3550 5.7.1 This message is rejected by our SPAM filters. Please refer http://support.mailhostbox.com/email-administrators-guide-error-codes/ for more information

                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:09:37:08
                                                                                  Start date:15/09/2022
                                                                                  Path:C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe"
                                                                                  Imagebase:0x10000
                                                                                  File size:1113600 bytes
                                                                                  MD5 hash:AE1ECE1AB35F950A1822C606A7C31468
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                  Reputation:low

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:09:37:18
                                                                                  Start date:15/09/2022
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                  Imagebase:0xb60000
                                                                                  File size:261728 bytes
                                                                                  MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                  Reputation:high

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:12%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:93
                                                                                    Total number of Limit Nodes:8
                                                                                    execution_graph 14334 23792b0 14337 23793a8 14334->14337 14335 23792bf 14338 23793bb 14337->14338 14339 23793cb 14338->14339 14342 2379a2a 14338->14342 14346 2379a38 14338->14346 14339->14335 14343 2379a4c 14342->14343 14345 2379a71 14343->14345 14350 2379598 14343->14350 14345->14339 14347 2379a4c 14346->14347 14348 2379a71 14347->14348 14349 2379598 LoadLibraryExW 14347->14349 14348->14339 14349->14348 14351 2379c18 LoadLibraryExW 14350->14351 14353 2379c91 14351->14353 14353->14345 14354 237b7b0 GetCurrentProcess 14355 237b823 14354->14355 14356 237b82a GetCurrentThread 14354->14356 14355->14356 14357 237b867 GetCurrentProcess 14356->14357 14358 237b860 14356->14358 14359 237b89d 14357->14359 14358->14357 14360 237b8c5 GetCurrentThreadId 14359->14360 14361 237b8f6 14360->14361 14362 2379990 14363 23799d2 14362->14363 14364 23799d8 GetModuleHandleW 14362->14364 14363->14364 14365 2379a05 14364->14365 14366 23740d0 14367 23740e2 14366->14367 14368 23740ee 14367->14368 14372 23741e0 14367->14372 14377 2373c64 14368->14377 14370 237410d 14373 2374205 14372->14373 14381 23742d1 14373->14381 14385 23742e0 14373->14385 14378 2373c6f 14377->14378 14393 23751a4 14378->14393 14380 2376a8a 14380->14370 14383 2374307 14381->14383 14382 23743e4 14382->14382 14383->14382 14389 2373de8 14383->14389 14387 2374307 14385->14387 14386 23743e4 14386->14386 14387->14386 14388 2373de8 CreateActCtxA 14387->14388 14388->14386 14390 2375370 CreateActCtxA 14389->14390 14392 2375433 14390->14392 14392->14392 14394 23751af 14393->14394 14397 23757f8 14394->14397 14396 2376bdd 14396->14380 14398 2375803 14397->14398 14401 2375828 14398->14401 14400 2376cba 14400->14396 14402 2375833 14401->14402 14405 2375858 14402->14405 14404 2376daa 14404->14400 14407 2375863 14405->14407 14406 23774fc 14406->14404 14407->14406 14409 237b3d0 14407->14409 14411 237b401 14409->14411 14410 237b425 14410->14406 14411->14410 14414 237b698 14411->14414 14418 237b688 14411->14418 14416 237b6a5 14414->14416 14415 237b6df 14415->14410 14416->14415 14422 2379898 14416->14422 14420 237b6a5 14418->14420 14419 237b6df 14419->14410 14420->14419 14421 2379898 LoadLibraryExW 14420->14421 14421->14419 14423 23798a3 14422->14423 14424 237c3d8 14423->14424 14426 2379960 14423->14426 14427 237996b 14426->14427 14428 2375858 LoadLibraryExW 14427->14428 14429 237c447 14427->14429 14428->14429 14433 237e1c8 14429->14433 14439 237e19f 14429->14439 14430 237c480 14430->14424 14435 237e1f9 14433->14435 14436 237e245 14433->14436 14434 237e205 14434->14430 14435->14434 14437 237e637 LoadLibraryExW 14435->14437 14438 237e648 LoadLibraryExW 14435->14438 14436->14430 14437->14436 14438->14436 14441 237e245 14439->14441 14442 237e1f9 14439->14442 14440 237e205 14440->14430 14441->14430 14442->14440 14443 237e637 LoadLibraryExW 14442->14443 14444 237e648 LoadLibraryExW 14442->14444 14443->14441 14444->14441 14445 237fe18 14446 237fe80 CreateWindowExW 14445->14446 14448 237ff3c 14446->14448 14449 237b9d8 DuplicateHandle 14450 237ba6e 14449->14450

                                                                                    Executed Functions

                                                                                    Function 0237E680 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 136 237e680-237e7f4 156 237e800-237e807 136->156 157 237e812-237e83d 156->157 158 237e843-237ebeb 157->158 159 237ebec-237ef94 157->159
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ,
                                                                                    • API String ID: 0-3772416878
                                                                                    • Opcode ID: 1875e079334b15cc9f836a0862ce4e4029d47873d47a5b74218f26a388faed93
                                                                                    • Instruction ID: 1055ee68074e9348f3f3d7ebf2fa00fa31d7cc5d58afc13c73e20c732be15dc4
                                                                                    • Opcode Fuzzy Hash: 1875e079334b15cc9f836a0862ce4e4029d47873d47a5b74218f26a388faed93
                                                                                    • Instruction Fuzzy Hash: CCC118F1CA17468BE718DF65ECC818D3BB1BB85328F924A0CD1616B6D0D7B8146ACF44
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0237E690 Relevance: .3, Instructions: 315COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2f3d9d2626c3c4c810277b4d07c8b42e40b29683ccbcdbff70ac30b7d8573a23
                                                                                    • Instruction ID: ec53515d2aed0c12a704a201bd6716d2f1ffe7457d14b5bcde80c2780b432a0b
                                                                                    • Opcode Fuzzy Hash: 2f3d9d2626c3c4c810277b4d07c8b42e40b29683ccbcdbff70ac30b7d8573a23
                                                                                    • Instruction Fuzzy Hash: 1A12B3F5CA17468BE318DF65ECD818D3BA1B744328FD24A0CD2612BAD1D7B8156ACF84
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0237B7A0 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32 ref: 0237B810
                                                                                    • GetCurrentThread.KERNEL32 ref: 0237B84D
                                                                                    • GetCurrentProcess.KERNEL32 ref: 0237B88A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0237B8E3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ProcessThread
                                                                                    • String ID:
                                                                                    • API String ID: 2063062207-0
                                                                                    • Opcode ID: 72e9ff5994d6d15a7e7c46c02cdd789b3d2a1b5c632f16d9e89fe5b54c277127
                                                                                    • Instruction ID: c95b8acd84db89240ea7477d9335bfa4fbe2e693443aea7ef3d3a3b2a11e14ec
                                                                                    • Opcode Fuzzy Hash: 72e9ff5994d6d15a7e7c46c02cdd789b3d2a1b5c632f16d9e89fe5b54c277127
                                                                                    • Instruction Fuzzy Hash: 505166B4D006899FDB54CFAAD588BEEBBF1EF48318F24846AE009A7350C7745844CF61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0237B7B0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32 ref: 0237B810
                                                                                    • GetCurrentThread.KERNEL32 ref: 0237B84D
                                                                                    • GetCurrentProcess.KERNEL32 ref: 0237B88A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0237B8E3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ProcessThread
                                                                                    • String ID:
                                                                                    • API String ID: 2063062207-0
                                                                                    • Opcode ID: 8e598c76ca5a589ed82274dde1c607b9aa94bd3353ae7e7b5e3d307e3709b5f4
                                                                                    • Instruction ID: 9c95d3230d77c237be1152028b6d6b57d4a87b8f0616111a6f334db95b5a0e01
                                                                                    • Opcode Fuzzy Hash: 8e598c76ca5a589ed82274dde1c607b9aa94bd3353ae7e7b5e3d307e3709b5f4
                                                                                    • Instruction Fuzzy Hash: 8E5165B4D002899FDB54CFAAD588BEEFBF1AF48318F24846AE019A7350D7785844CF61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0237FE0C Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 38 237fe0c-237fe7e 39 237fe80-237fe86 38->39 40 237fe89-237fe90 38->40 39->40 41 237fe92-237fe98 40->41 42 237fe9b-237fed3 40->42 41->42 43 237fedb-237ff3a CreateWindowExW 42->43 44 237ff43-237ff7b 43->44 45 237ff3c-237ff42 43->45 49 237ff7d-237ff80 44->49 50 237ff88 44->50 45->44 49->50 51 237ff89 50->51 51->51
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0237FF2A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 03f8c585541f14726b50f0a55d5c4e70e33a8d3f8cc95d460fb6322410f668f7
                                                                                    • Instruction ID: 5282d9e64433bc95a4be9ea2600977d2ac9969ed588aa1a322ea2e5a90b6a54f
                                                                                    • Opcode Fuzzy Hash: 03f8c585541f14726b50f0a55d5c4e70e33a8d3f8cc95d460fb6322410f668f7
                                                                                    • Instruction Fuzzy Hash: 8951C0B1D003499FDF14CFA9D884ADEBBB5FF89314F24812AE819AB610D7749946CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0237FE18 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 52 237fe18-237fe7e 53 237fe80-237fe86 52->53 54 237fe89-237fe90 52->54 53->54 55 237fe92-237fe98 54->55 56 237fe9b-237ff3a CreateWindowExW 54->56 55->56 58 237ff43-237ff7b 56->58 59 237ff3c-237ff42 56->59 63 237ff7d-237ff80 58->63 64 237ff88 58->64 59->58 63->64 65 237ff89 64->65 65->65
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0237FF2A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: b4b1bd24f51e53deb997f7233bd08b0b731375ffc23e35da0d4dc69a0667ca8e
                                                                                    • Instruction ID: 7450ce4bc0ab6436b41fb04963ac64165c4347473f465b347e14d686b3fd2014
                                                                                    • Opcode Fuzzy Hash: b4b1bd24f51e53deb997f7233bd08b0b731375ffc23e35da0d4dc69a0667ca8e
                                                                                    • Instruction Fuzzy Hash: CF41B0B1D003499FDF14CFA9D884ADEFBB5BF48314F24812AE419AB210D7749985CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02373DE8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 66 2373de8-2375431 CreateActCtxA 69 2375433-2375439 66->69 70 237543a-2375494 66->70 69->70 77 2375496-2375499 70->77 78 23754a3-23754a7 70->78 77->78 79 23754a9-23754b5 78->79 80 23754b8 78->80 79->80 82 23754b9 80->82 82->82
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 02375421
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: 5966fb6de9ee46fcf6f0bf5a2696a4d40089478f634ac0134eba9bdc922e3de4
                                                                                    • Instruction ID: 0d3f945470ca32ed7af11b819fbb516a61ebe6b4beb905f48605be6e9429fd13
                                                                                    • Opcode Fuzzy Hash: 5966fb6de9ee46fcf6f0bf5a2696a4d40089478f634ac0134eba9bdc922e3de4
                                                                                    • Instruction Fuzzy Hash: 794115B0D04218CFEF24CFA9C84478EBBB5BF88305F61806AD409BB251DBB95945CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0237536E Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 83 237536e-2375431 CreateActCtxA 85 2375433-2375439 83->85 86 237543a-2375494 83->86 85->86 93 2375496-2375499 86->93 94 23754a3-23754a7 86->94 93->94 95 23754a9-23754b5 94->95 96 23754b8 94->96 95->96 98 23754b9 96->98 98->98
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 02375421
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: a64d98bd6560d7e3b1571f026447fc3a075e81dfebffe8b7270a995893766e89
                                                                                    • Instruction ID: ea84cc55cfbe333d0bf792151e30aa2187923540547a5c9f87c87af77a46d2df
                                                                                    • Opcode Fuzzy Hash: a64d98bd6560d7e3b1571f026447fc3a075e81dfebffe8b7270a995893766e89
                                                                                    • Instruction Fuzzy Hash: DA4115B0D00218CEEF24CFA9C8847CEBBB5BF88305F65806AD409BB251DBB51946CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0237B9D2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 99 237b9d2-237ba6c DuplicateHandle 100 237ba75-237ba92 99->100 101 237ba6e-237ba74 99->101 101->100
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0237BA5F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 37fb68691e40e33dfbb6f17b8208c7eb6696f5e2e1975280843816306ddf7fba
                                                                                    • Instruction ID: 462ad3eb1dc003e838d9b138e7d3e64413ff593c5506035c72f71e6711c2d78b
                                                                                    • Opcode Fuzzy Hash: 37fb68691e40e33dfbb6f17b8208c7eb6696f5e2e1975280843816306ddf7fba
                                                                                    • Instruction Fuzzy Hash: E821E3B5900249AFDB10CFA9D984BEEBFF4EB48324F14806AE954A3210C378A945CF60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0237B9D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 104 237b9d8-237ba6c DuplicateHandle 105 237ba75-237ba92 104->105 106 237ba6e-237ba74 104->106 106->105
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0237BA5F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 6f07935e0c52a5c989b7145be7195117a5bf516e42830d3ae375a6beb317ee6b
                                                                                    • Instruction ID: 7136a5185766d69179b9ed104de96429541abf1f0d569412f6137bf9d06e4e1d
                                                                                    • Opcode Fuzzy Hash: 6f07935e0c52a5c989b7145be7195117a5bf516e42830d3ae375a6beb317ee6b
                                                                                    • Instruction Fuzzy Hash: BA21C4B5900249AFDB10CFA9D984BDEFBF9FB48324F14841AE954A3310D378A955CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02379598 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 109 2379598-2379c58 111 2379c60-2379c8f LoadLibraryExW 109->111 112 2379c5a-2379c5d 109->112 113 2379c91-2379c97 111->113 114 2379c98-2379cb5 111->114 112->111 113->114
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02379A71,00000800,00000000,00000000), ref: 02379C82
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: c00cdfcfa5e23a06a334d968206f4a798ce0ec5370b25d5dce4787d36e04e68e
                                                                                    • Instruction ID: 888a21478cc99ac89018122a43a848313e1a8bd08027f07f905fe1dfc5d62855
                                                                                    • Opcode Fuzzy Hash: c00cdfcfa5e23a06a334d968206f4a798ce0ec5370b25d5dce4787d36e04e68e
                                                                                    • Instruction Fuzzy Hash: CF1103B6904249DFDF20CF9AC544BDEFBF8EB88324F14852AE415A7600C378A545CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02379C10 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 117 2379c10-2379c58 118 2379c60-2379c8f LoadLibraryExW 117->118 119 2379c5a-2379c5d 117->119 120 2379c91-2379c97 118->120 121 2379c98-2379cb5 118->121 119->118 120->121
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02379A71,00000800,00000000,00000000), ref: 02379C82
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: 6346b26c9a2979b726375bca61c9b917dc68c2c00ed78beddaca0138d39c18a6
                                                                                    • Instruction ID: f25be387da39a640bd10b0d6c1f8230578a60fedda030132b2565531b8a8652e
                                                                                    • Opcode Fuzzy Hash: 6346b26c9a2979b726375bca61c9b917dc68c2c00ed78beddaca0138d39c18a6
                                                                                    • Instruction Fuzzy Hash: 891103B69002498FDF20CFAAD584BDEFBF4AB88324F14856AD459A7200C378A545CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0237998A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 124 237998a-23799d0 125 23799d2-23799d5 124->125 126 23799d8-2379a03 GetModuleHandleW 124->126 125->126 127 2379a05-2379a0b 126->127 128 2379a0c-2379a20 126->128 127->128
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 023799F6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: f63b30a662b42cd1b4b85fa0f9447bdf7c2c964a5d1bde92acee2dad7f29afe8
                                                                                    • Instruction ID: 10fad87242dd153a5cec8d33ec385d3bd8c67e89b959f6c350b783258627f800
                                                                                    • Opcode Fuzzy Hash: f63b30a662b42cd1b4b85fa0f9447bdf7c2c964a5d1bde92acee2dad7f29afe8
                                                                                    • Instruction Fuzzy Hash: 371134B5D006498FDB10CF9AC444BDEFBF4EF49224F14812AD859B7210C378A546CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 02379990 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 130 2379990-23799d0 131 23799d2-23799d5 130->131 132 23799d8-2379a03 GetModuleHandleW 130->132 131->132 133 2379a05-2379a0b 132->133 134 2379a0c-2379a20 132->134 133->134
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 023799F6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: a046bbe8ee2a3ae461733911f9c49af1d41b93d259207e41905d7064bb0d81a8
                                                                                    • Instruction ID: 9cf24a9650f5f0945aeca7ea38092e67937e37ee66d6f4cfdfea2c783c0e0fd7
                                                                                    • Opcode Fuzzy Hash: a046bbe8ee2a3ae461733911f9c49af1d41b93d259207e41905d7064bb0d81a8
                                                                                    • Instruction Fuzzy Hash: 5D1110B5C006498FDB20CF9AC484BDEFBF4AF89224F14852AD469B7600C378A546CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 0237C244 Relevance: .3, Instructions: 265COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.276913495.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2370000_DHL_Shippment_Notification_File1_TRK#92992.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1e4cf9d981b1936d215680c39c4bf578260f37d07dc160db3019075e2f0e7b90
                                                                                    • Instruction ID: c62338ef44964b817224e9827bc0720953b658fce4866853ab451d67d3815a2e
                                                                                    • Opcode Fuzzy Hash: 1e4cf9d981b1936d215680c39c4bf578260f37d07dc160db3019075e2f0e7b90
                                                                                    • Instruction Fuzzy Hash: E8A15C32E1021ACFCF25DFA5C84499EB7F2FF89304B15856AE805BB261EB35A955CF40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Execution Graph

                                                                                    Execution Coverage:10.1%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:3%
                                                                                    Total number of Nodes:233
                                                                                    Total number of Limit Nodes:31
                                                                                    execution_graph 35294 136b751 35295 136b6f2 35294->35295 35296 136b75a 35294->35296 35299 136b93a 35295->35299 35297 136b70d 35304 136b943 35299->35304 35305 136bb36 35299->35305 35309 136bb1c 35299->35309 35313 136ba0f 35299->35313 35317 136ba20 35299->35317 35304->35297 35306 136bb49 35305->35306 35307 136bb5b 35305->35307 35321 136be17 35306->35321 35310 136bacf 35309->35310 35310->35309 35311 136bb5b 35310->35311 35312 136be17 2 API calls 35310->35312 35312->35311 35314 136ba20 35313->35314 35315 136bb5b 35314->35315 35316 136be17 2 API calls 35314->35316 35316->35315 35318 136ba64 35317->35318 35319 136bb5b 35318->35319 35320 136be17 2 API calls 35318->35320 35320->35319 35322 136be36 35321->35322 35326 136be78 35322->35326 35330 136be69 35322->35330 35323 136be46 35323->35307 35327 136beb2 35326->35327 35328 136bedc RtlEncodePointer 35327->35328 35329 136bf05 35327->35329 35328->35329 35329->35323 35331 136beb2 35330->35331 35332 136bedc RtlEncodePointer 35331->35332 35333 136bf05 35331->35333 35332->35333 35333->35323 35153 1569718 35155 156972d 35153->35155 35154 156994f 35155->35154 35156 1569a73 LdrInitializeThunk 35155->35156 35157 1569a90 35156->35157 35158 15673d8 35159 15673e9 35158->35159 35165 156740c 35158->35165 35160 1567f7e 35161 156869f GetPrivateProfileStructW 35162 15686b5 GetPrivateProfileStructW 35161->35162 35164 15686f3 35162->35164 35165->35160 35165->35161 35334 156d378 35335 156d392 35334->35335 35336 156d426 35335->35336 35340 156d8d8 35335->35340 35345 156d8c8 35335->35345 35350 156dcdf 35335->35350 35341 156d8e9 35340->35341 35342 156d90c 35340->35342 35341->35335 35344 156d939 35342->35344 35357 156aee8 GetPrivateProfileStructW GetPrivateProfileStructW 35342->35357 35344->35335 35346 156d8e9 35345->35346 35348 156d90c 35345->35348 35346->35335 35347 156d939 35347->35335 35348->35347 35358 156aee8 GetPrivateProfileStructW GetPrivateProfileStructW 35348->35358 35352 156dd15 35350->35352 35351 156dd21 35351->35335 35352->35351 35353 156e107 GetPrivateProfileStructW 35352->35353 35354 156e11d GetPrivateProfileStructW 35353->35354 35356 156e15b 35354->35356 35356->35335 35357->35344 35358->35347 35166 1568740 35167 1568774 35166->35167 35168 1568751 35166->35168 35169 1568a17 35167->35169 35170 1568cfd RegQueryValueExW 35167->35170 35171 1568d08 RegQueryValueExW 35167->35171 35174 1568a50 35167->35174 35179 1568a3f 35167->35179 35170->35167 35171->35167 35175 1568a84 RegOpenKeyExW 35174->35175 35176 1568a61 35174->35176 35178 1568b66 35175->35178 35176->35167 35180 1568a84 RegOpenKeyExW 35179->35180 35181 1568a61 35179->35181 35183 1568b66 35180->35183 35181->35167 35183->35183 35359 1366940 GetCurrentProcess 35360 13669b3 35359->35360 35361 13669ba GetCurrentThread 35359->35361 35360->35361 35362 13669f7 GetCurrentProcess 35361->35362 35363 13669f0 35361->35363 35364 1366a2d 35362->35364 35363->35362 35365 1366a55 GetCurrentThreadId 35364->35365 35366 1366a86 35365->35366 35367 1569ea0 35368 1569eb1 35367->35368 35369 1569ed4 35367->35369 35370 1569e8b 35369->35370 35371 1569f23 GetPrivateProfileStructW 35369->35371 35372 1569f36 35371->35372 35192 1569d0f 35193 1569d16 GetPrivateProfileStructW 35192->35193 35195 1569d33 35193->35195 35196 1567308 35197 1567328 GetPrivateProfileStructW 35196->35197 35199 156734d GetPrivateProfileStructW 35197->35199 35201 156738b 35199->35201 35202 1366b68 DuplicateHandle 35203 1366bfe 35202->35203 35204 13615a8 35205 13615d7 35204->35205 35208 1361328 35205->35208 35207 13616fc 35209 1361333 35208->35209 35213 1363660 35209->35213 35221 1363650 35209->35221 35210 1361c42 35210->35207 35214 136368a 35213->35214 35229 1363bb0 35214->35229 35215 1363708 35216 1363300 GetModuleHandleW 35215->35216 35218 1363731 35215->35218 35217 136375b 35216->35217 35220 1365030 CreateWindowExW 35217->35220 35220->35218 35222 1363660 35221->35222 35227 1363bb0 4 API calls 35222->35227 35223 1363708 35224 1363300 GetModuleHandleW 35223->35224 35226 1363731 35223->35226 35225 136375b 35224->35225 35279 1365030 35225->35279 35227->35223 35230 1363bdb 35229->35230 35231 1363c8e 35230->35231 35235 1363cf6 35230->35235 35249 1363d50 35230->35249 35262 1363d43 35230->35262 35236 1363d02 35235->35236 35237 1363cfb 35235->35237 35236->35231 35237->35236 35275 1363300 35237->35275 35239 1363daa 35240 1363300 GetModuleHandleW 35239->35240 35242 1363f76 35239->35242 35244 1363efb 35240->35244 35241 1363fd1 35241->35231 35242->35231 35242->35241 35243 13640f8 GetModuleHandleW 35242->35243 35245 1364125 35243->35245 35244->35241 35244->35242 35246 1363300 GetModuleHandleW 35244->35246 35245->35231 35247 1363f49 35246->35247 35247->35242 35248 1363300 GetModuleHandleW 35247->35248 35248->35242 35250 1363d65 35249->35250 35251 1363300 GetModuleHandleW 35250->35251 35252 1363daa 35250->35252 35251->35252 35253 1363300 GetModuleHandleW 35252->35253 35261 1363f76 35252->35261 35255 1363efb 35253->35255 35254 1363fd1 35254->35231 35255->35254 35258 1363300 GetModuleHandleW 35255->35258 35255->35261 35256 13640f8 GetModuleHandleW 35257 1364125 35256->35257 35257->35231 35259 1363f49 35258->35259 35260 1363300 GetModuleHandleW 35259->35260 35259->35261 35260->35261 35261->35231 35261->35254 35261->35256 35263 1363d50 35262->35263 35264 1363300 GetModuleHandleW 35263->35264 35265 1363daa 35263->35265 35264->35265 35266 1363300 GetModuleHandleW 35265->35266 35274 1363f76 35265->35274 35268 1363efb 35266->35268 35267 1363fd1 35267->35231 35268->35267 35271 1363300 GetModuleHandleW 35268->35271 35268->35274 35269 13640f8 GetModuleHandleW 35270 1364125 35269->35270 35270->35231 35272 1363f49 35271->35272 35273 1363300 GetModuleHandleW 35272->35273 35272->35274 35273->35274 35274->35231 35274->35267 35274->35269 35276 13640b0 GetModuleHandleW 35275->35276 35278 1364125 35276->35278 35278->35239 35280 136503e 35279->35280 35281 1365046 35280->35281 35282 1365153 CreateWindowExW 35280->35282 35281->35226 35283 13651b4 35282->35283 35283->35283 35284 156edc8 35287 156eddd 35284->35287 35285 156eebf DosPathToSessionPathW 35285->35287 35286 156f0bc 35287->35285 35287->35286 35288 1568e48 35289 1568e59 35288->35289 35291 1568e7c 35288->35291 35292 1568eae 35291->35292 35293 1568048 GetPrivateProfileStructW GetPrivateProfileStructW 35291->35293 35293->35291 35381 156e1a8 35382 156e1b9 35381->35382 35384 156e1dc 35381->35384 35383 156e193 35384->35383 35385 156e22f LdrInitializeThunk 35384->35385 35386 156e24b 35385->35386 35388 156e283 35386->35388 35389 1568048 GetPrivateProfileStructW GetPrivateProfileStructW 35386->35389 35389->35388 35390 1365248 35391 136526e 35390->35391 35394 136359c 35391->35394 35395 13635a7 35394->35395 35396 1367bf1 35395->35396 35399 1367be1 35395->35399 35397 1367bef 35396->35397 35422 136779c 35396->35422 35404 1367d18 35399->35404 35408 1577f18 35399->35408 35413 1577f09 35399->35413 35418 1367d08 35399->35418 35406 1367d26 35404->35406 35405 136779c 2 API calls 35405->35406 35406->35405 35407 1367e0f 35406->35407 35407->35397 35409 1577f2c 35408->35409 35429 1577fc1 35409->35429 35433 1577fd0 35409->35433 35410 1577fb8 35410->35397 35414 1577f2c 35413->35414 35416 1577fc1 2 API calls 35414->35416 35417 1577fd0 2 API calls 35414->35417 35415 1577fb8 35415->35397 35416->35415 35417->35415 35420 1367d0d 35418->35420 35419 136779c 2 API calls 35419->35420 35420->35419 35421 1367e0f 35420->35421 35421->35397 35423 13677a7 35422->35423 35424 1367e82 35423->35424 35425 1367f2c 35423->35425 35427 1367eda CallWindowProcW 35424->35427 35428 1367e89 35424->35428 35426 136359c CallWindowProcW 35425->35426 35426->35428 35427->35428 35428->35397 35430 1577fd0 35429->35430 35431 1577fe1 35430->35431 35436 1579460 35430->35436 35431->35410 35434 1577fe1 35433->35434 35435 1579460 2 API calls 35433->35435 35434->35410 35435->35434 35439 136779c 2 API calls 35436->35439 35440 1367e30 35436->35440 35437 157947a 35437->35431 35439->35437 35441 1367e40 35440->35441 35442 1367e82 35441->35442 35443 1367f2c 35441->35443 35445 1367eda CallWindowProcW 35442->35445 35446 1367e89 35442->35446 35444 136359c CallWindowProcW 35443->35444 35444->35446 35445->35446 35446->35437

                                                                                    Executed Functions

                                                                                    Function 015673D8 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1457COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: V
                                                                                    • API String ID: 0-1342839628
                                                                                    • Opcode ID: 61b9444c0988824b3ca211fa908bbaa76f04f3a3a379d209dabb0ebae0ac2050
                                                                                    • Instruction ID: e2b2f5397468b2a016873940ab92eb9c72f115f40f5559d22cefbb351cd14d1d
                                                                                    • Opcode Fuzzy Hash: 61b9444c0988824b3ca211fa908bbaa76f04f3a3a379d209dabb0ebae0ac2050
                                                                                    • Instruction Fuzzy Hash: 60C2DF30B043418FDB56DB78D858A6EBBF6AF85304F1980AAD409DB396DB38DC46CB51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01569EA0 Relevance: 1.9, APIs: 1, Instructions: 419COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1586 1569ea0-1569eaf 1587 1569ed4-1569ee0 1586->1587 1588 1569eb1-1569ebb 1586->1588 1592 1569f15-1569f38 GetPrivateProfileStructW 1587->1592 1593 1569ee2-1569eed 1587->1593 1589 1569ed0-1569ed3 1588->1589 1590 1569ebd-1569ece 1588->1590 1590->1589 1714 1569f3a call 136d122 1592->1714 1715 1569f3a call 136d148 1592->1715 1595 1569eef-1569f14 1593->1595 1596 1569e8b 1593->1596 1595->1592 1600 1569f3f-1569f56 1603 1569f60-1569fa0 1600->1603 1604 1569f58-1569f5b 1600->1604 1613 1569fa2-1569fa5 1603->1613 1614 1569faa-1569fad 1603->1614 1605 156a406-156a40f 1604->1605 1613->1605 1615 1569fb3-1569fbd 1614->1615 1616 156a3d0 1614->1616 1617 1569fc3-1569ff7 1615->1617 1618 156a3cb-156a3ce 1615->1618 1619 156a3d5-156a401 1616->1619 1617->1619 1627 1569ffd-156a019 1617->1627 1618->1605 1619->1605 1627->1619 1631 156a01f-156a029 1627->1631 1631->1619 1632 156a02f-156a045 1631->1632 1632->1619 1634 156a04b-156a288 1632->1634 1634->1619 1679 156a28e-156a295 1634->1679 1679->1619 1680 156a29b-156a2a2 1679->1680 1680->1619 1681 156a2a8-156a2c6 1680->1681 1683 156a2dd-156a2e4 1681->1683 1684 156a2c8-156a2cc 1681->1684 1686 156a2e6-156a2ea 1683->1686 1687 156a321-156a327 1683->1687 1684->1619 1685 156a2d2-156a2da 1684->1685 1685->1683 1686->1619 1690 156a2f0-156a31e 1686->1690 1688 156a33d-156a357 1687->1688 1689 156a329-156a32d 1687->1689 1700 156a3b7-156a3bd 1688->1700 1701 156a359-156a36c 1688->1701 1689->1619 1691 156a333-156a33b 1689->1691 1690->1687 1691->1688 1700->1616 1703 156a3bf-156a3c5 1700->1703 1701->1700 1706 156a36e-156a3b0 1701->1706 1703->1617 1703->1618 1706->1700 1714->1600 1715->1600
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 01569F29
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: b52b537311f284bb98c788ab48da6186de2416843c93e7080e9f62f5a6716f69
                                                                                    • Instruction ID: 96b6ae5bbba9de1438102c230a9dd09839bd0fd8d53369c8954b49e3a1d16a85
                                                                                    • Opcode Fuzzy Hash: b52b537311f284bb98c788ab48da6186de2416843c93e7080e9f62f5a6716f69
                                                                                    • Instruction Fuzzy Hash: 1DE1A030B042159FE728EB78885476EBAEBAFC5348F15C528D12AEF384DF759C418791
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01569718 Relevance: 1.9, APIs: 1, Instructions: 398libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1716 1569718-1569731 1718 1569733-1569736 1716->1718 1719 1569748-156974b 1718->1719 1720 1569738-1569743 1718->1720 1721 15697b7-15697c0 1719->1721 1722 156974d-1569750 1719->1722 1720->1719 1726 15697c6 1721->1726 1727 15698b9-15698c2 1721->1727 1724 1569752-1569757 1722->1724 1725 156975a-156975d 1722->1725 1724->1725 1728 1569775-1569778 1725->1728 1729 156975f-156976e 1725->1729 1730 15697cb-15697ce 1726->1730 1731 1569966-156997d 1727->1731 1732 15698c8-15698cf 1727->1732 1733 156977a-156977e 1728->1733 1734 1569789-156978c 1728->1734 1729->1733 1758 1569770 1729->1758 1735 15697d5-15697d8 1730->1735 1736 15697d0-15697d2 1730->1736 1756 1569996-156999b 1731->1756 1757 156997f-156998f 1731->1757 1737 15698d4-15698d7 1732->1737 1740 1569784 1733->1740 1741 1569961 1733->1741 1742 156978e-1569794 1734->1742 1743 156979f-15697a2 1734->1743 1746 15697fa-15697fd 1735->1746 1747 15697da-15697f5 1735->1747 1736->1735 1738 15698ee-15698f1 1737->1738 1739 15698d9-15698df 1737->1739 1749 15698f3-15698f9 1738->1749 1750 15698fe-1569901 1738->1750 1739->1731 1748 15698e5-15698e9 1739->1748 1740->1734 1741->1731 1742->1739 1751 156979a 1742->1751 1752 15697a4-15697a7 1743->1752 1753 15697b2-15697b5 1743->1753 1754 15697ff-1569827 1746->1754 1755 156982c-156982f 1746->1755 1747->1746 1748->1738 1749->1750 1750->1742 1761 1569907-156990a 1750->1761 1751->1743 1752->1741 1762 15697ad 1752->1762 1753->1721 1753->1730 1754->1755 1759 1569861-1569864 1755->1759 1760 1569831-156985c 1755->1760 1766 15699b0-15699b3 1756->1766 1767 156999c-15699ae 1756->1767 1764 15699b4-15699cd 1757->1764 1765 1569991 1757->1765 1758->1728 1771 1569866-1569882 1759->1771 1772 1569887-156988a 1759->1772 1760->1759 1768 1569911-1569914 1761->1768 1769 156990c 1761->1769 1762->1753 1782 15699e6-15699eb 1764->1782 1783 15699cf-15699df 1764->1783 1765->1756 1767->1766 1775 1569916-156991c 1768->1775 1776 1569921-1569924 1768->1776 1769->1768 1771->1772 1778 15698b4-15698b7 1772->1778 1779 156988c-15698a9 1772->1779 1775->1776 1784 1569926-1569938 1776->1784 1785 156993d-156993f 1776->1785 1778->1727 1778->1737 1779->1752 1810 15698af 1779->1810 1789 1569a00-1569a03 1782->1789 1790 15699ec-15699fe 1782->1790 1787 1569a04-1569a8a LdrInitializeThunk 1783->1787 1788 15699e1 1783->1788 1784->1785 1792 1569946-1569949 1785->1792 1793 1569941 1785->1793 1819 1569bd3-1569bf0 1787->1819 1820 1569a90-1569aaa 1787->1820 1788->1782 1790->1789 1792->1718 1796 156994f-1569960 1792->1796 1793->1792 1810->1778 1832 1569bf5-1569bfe 1819->1832 1820->1819 1823 1569ab0-1569aca 1820->1823 1826 1569ad0 1823->1826 1827 1569acc-1569ace 1823->1827 1829 1569ad3-1569b2e 1826->1829 1827->1829 1838 1569b34 1829->1838 1839 1569b30-1569b32 1829->1839 1840 1569b37-1569bd1 1838->1840 1839->1840 1840->1832
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 48591dcebc6e5ab87c71d4e6ad5d1f3b5d567f1d1fbe8caab46faf0b04bfd734
                                                                                    • Instruction ID: e502f18247dbc5589ac11bc4e4a33104cc3314ab25d2af632d672464239f4565
                                                                                    • Opcode Fuzzy Hash: 48591dcebc6e5ab87c71d4e6ad5d1f3b5d567f1d1fbe8caab46faf0b04bfd734
                                                                                    • Instruction Fuzzy Hash: E6D1D131A042058FDB25DB78C8846AEB7BAFF85308F148969D505DF396EB38D841C7A1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0157B618 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1857 157b618-157b67b 1858 157b67d-157b6a7 1857->1858 1859 157b6aa-157b6c8 1857->1859 1858->1859 1864 157b6d1-157b708 1859->1864 1865 157b6ca-157b6cc 1859->1865 1869 157b70e-157b722 1864->1869 1870 157bb39 1864->1870 1866 157bb8a-157bb9f 1865->1866 1871 157b724-157b74e 1869->1871 1872 157b751-157b770 1869->1872 1873 157bb3e-157bb54 1870->1873 1871->1872 1879 157b772-157b778 1872->1879 1880 157b788-157b78a 1872->1880 1873->1866 1881 157b77c-157b77e 1879->1881 1882 157b77a 1879->1882 1883 157b78c-157b7a4 1880->1883 1884 157b7a9-157b7b2 1880->1884 1881->1880 1882->1880 1883->1873 1886 157b7ba-157b7c1 1884->1886 1887 157b7c3-157b7c9 1886->1887 1888 157b7cb-157b7d2 1886->1888 1889 157b7df-157b7fc call 157a5a0 1887->1889 1890 157b7d4-157b7da 1888->1890 1891 157b7dc 1888->1891 1894 157b802-157b809 1889->1894 1895 157b951-157b955 1889->1895 1890->1889 1891->1889 1894->1870 1896 157b80f-157b83e 1894->1896 1897 157bb24-157bb37 1895->1897 1898 157b95b-157b95f 1895->1898 1901 157b847-157b84c 1896->1901 1897->1873 1899 157b961-157b974 1898->1899 1900 157b979-157b982 1898->1900 1899->1873 1902 157b984-157b9ae 1900->1902 1903 157b9b1-157b9b8 1900->1903 1906 157b852-157b857 1901->1906 1907 157bb1a-157bb1e 1901->1907 1902->1903 1904 157ba57-157ba6c 1903->1904 1905 157b9be-157b9c5 1903->1905 1904->1907 1918 157ba72-157ba74 1904->1918 1908 157b9c7-157b9f1 1905->1908 1909 157b9f4-157ba16 1905->1909 1910 157b889-157b89e call 157a5c4 1906->1910 1911 157b859-157b867 call 157a5ac 1906->1911 1907->1886 1907->1897 1908->1909 1909->1904 1945 157ba18-157ba22 1909->1945 1916 157b8a3-157b8a7 1910->1916 1911->1910 1926 157b869-157b887 call 157a5b8 1911->1926 1922 157b8a9-157b8bb call 157a5d0 1916->1922 1923 157b918-157b925 1916->1923 1924 157ba76-157baaf 1918->1924 1925 157bac1-157bade call 157a5a0 1918->1925 1950 157b8bd-157b8ed 1922->1950 1951 157b8fb-157b913 1922->1951 1923->1907 1937 157b92b-157b935 call 157a5e0 1923->1937 1940 157bab1-157bab7 1924->1940 1941 157bab8-157babf 1924->1941 1925->1907 1943 157bae0-157bb0c WaitMessage 1925->1943 1926->1916 1953 157b937-157b93f call 157a5ec 1937->1953 1954 157b944-157b94c call 157a5f8 1937->1954 1940->1941 1941->1907 1947 157bb13 1943->1947 1948 157bb0e 1943->1948 1958 157ba24-157ba2a 1945->1958 1959 157ba3a-157ba55 1945->1959 1947->1907 1948->1947 1965 157b8f4 1950->1965 1966 157b8ef 1950->1966 1951->1873 1953->1907 1954->1907 1963 157ba2e-157ba30 1958->1963 1964 157ba2c 1958->1964 1959->1904 1959->1945 1963->1959 1964->1959 1965->1951 1966->1965
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.518031450.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1570000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2a6dd31f1940cc2af7c153660f146c9c5f03d8ddf7037afb0a4a5316657c3325
                                                                                    • Instruction ID: 03774545dac53d05b9d5a373d72de6ef61e26cf345316855f4003b1c875d1fdb
                                                                                    • Opcode Fuzzy Hash: 2a6dd31f1940cc2af7c153660f146c9c5f03d8ddf7037afb0a4a5316657c3325
                                                                                    • Instruction Fuzzy Hash: 74F15C30A00209CFDB14DFA9D849BADBBF1FF88314F158569E519AF2A5DB70A945CB80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0156E1A8 Relevance: 1.7, APIs: 1, Instructions: 209libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 3ce55bbcf385e84a296768b868b05a5a622db424ea0d7c4e6d4adc4d7a3a9570
                                                                                    • Instruction ID: 4a16ca5e1d78d540f7ce250e3a8fc0ee95b72a7b8c55a72c208d58ce0420d019
                                                                                    • Opcode Fuzzy Hash: 3ce55bbcf385e84a296768b868b05a5a622db424ea0d7c4e6d4adc4d7a3a9570
                                                                                    • Instruction Fuzzy Hash: EE717834A01306DFDB14EBB8D55ABAE7BB6FF84305F108829E411AB394DF389845CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0136691F Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 401 136691f-13669b1 GetCurrentProcess 403 13669b3-13669b9 401->403 404 13669ba-13669ee GetCurrentThread 401->404 403->404 405 13669f7-1366a2b GetCurrentProcess 404->405 406 13669f0-13669f6 404->406 408 1366a34-1366a4c 405->408 409 1366a2d-1366a33 405->409 406->405 420 1366a4f call 1366af3 408->420 421 1366a4f call 1366ed0 408->421 409->408 412 1366a55-1366a84 GetCurrentThreadId 413 1366a86-1366a8c 412->413 414 1366a8d-1366aef 412->414 413->414 420->412 421->412
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32 ref: 013669A0
                                                                                    • GetCurrentThread.KERNEL32 ref: 013669DD
                                                                                    • GetCurrentProcess.KERNEL32 ref: 01366A1A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 01366A73
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ProcessThread
                                                                                    • String ID:
                                                                                    • API String ID: 2063062207-0
                                                                                    • Opcode ID: ccd0b5d7d134add11015f3223b95da41d0ae94fdbba9f33828baeda9112aa475
                                                                                    • Instruction ID: e0e2ce12fe3b2b3ce0b49df27b374a3821abe16cb574f2181acd86a7df0da598
                                                                                    • Opcode Fuzzy Hash: ccd0b5d7d134add11015f3223b95da41d0ae94fdbba9f33828baeda9112aa475
                                                                                    • Instruction Fuzzy Hash: 0A5177B4900289DFEB04CFAAD549BDEBFF4EF88318F24846AE549A7350DB745844CB61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01366940 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 422 1366940-13669b1 GetCurrentProcess 423 13669b3-13669b9 422->423 424 13669ba-13669ee GetCurrentThread 422->424 423->424 425 13669f7-1366a2b GetCurrentProcess 424->425 426 13669f0-13669f6 424->426 428 1366a34-1366a4c 425->428 429 1366a2d-1366a33 425->429 426->425 440 1366a4f call 1366af3 428->440 441 1366a4f call 1366ed0 428->441 429->428 432 1366a55-1366a84 GetCurrentThreadId 433 1366a86-1366a8c 432->433 434 1366a8d-1366aef 432->434 433->434 440->432 441->432
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32 ref: 013669A0
                                                                                    • GetCurrentThread.KERNEL32 ref: 013669DD
                                                                                    • GetCurrentProcess.KERNEL32 ref: 01366A1A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 01366A73
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ProcessThread
                                                                                    • String ID:
                                                                                    • API String ID: 2063062207-0
                                                                                    • Opcode ID: feff3bbed0dac145667001a595e31c5ebbdc060f53d681cab4dfea011c896534
                                                                                    • Instruction ID: 0f14c8c5fa83d59914d28d0254d5af751e8aa24b06aa495a8a3802ea350169cb
                                                                                    • Opcode Fuzzy Hash: feff3bbed0dac145667001a595e31c5ebbdc060f53d681cab4dfea011c896534
                                                                                    • Instruction Fuzzy Hash: 5A5153B4900249CFEB14CFAAC549BDEBFF4EF88318F24846AE559A7350DB746844CB61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0156DEF8 Relevance: 3.2, APIs: 2, Instructions: 222COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 555 156def8-156df07 557 156df2c-156df57 555->557 558 156df09-156df13 555->558 562 156df7c-156dfa7 557->562 563 156df59-156df63 557->563 559 156df15-156df26 558->559 560 156df28-156df2b 558->560 559->560 569 156dfcc-156dff7 562->569 570 156dfa9-156dfb3 562->570 565 156df65-156df76 563->565 566 156df78-156df7b 563->566 565->566 575 156e01c-156e047 569->575 576 156dff9-156e003 569->576 571 156dfb5-156dfc6 570->571 572 156dfc8-156dfcb 570->572 571->572 581 156e06c-156e097 575->581 582 156e049-156e053 575->582 577 156e005-156e016 576->577 578 156e018-156e01b 576->578 577->578 587 156e0bc-156e0ff 581->587 588 156e099-156e0a3 581->588 583 156e055-156e066 582->583 584 156e068-156e06b 582->584 583->584 594 156e107-156e115 GetPrivateProfileStructW 587->594 589 156e0a5-156e0b6 588->589 590 156e0b8-156e0bb 588->590 589->590 595 156e11d-156e135 594->595 598 156e148-156e153 GetPrivateProfileStructW 595->598 599 156e15b-156e193 598->599
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 0156E110
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 0156E14E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: d94d52d8b641e7ccc07e1ab8ed5dba471a77338d4e5911b85a8ad45c7d678d0d
                                                                                    • Instruction ID: 2a100e66606ebe362105bc88f39bb47716690fd4075377c6fbb4c99a38d4ce54
                                                                                    • Opcode Fuzzy Hash: d94d52d8b641e7ccc07e1ab8ed5dba471a77338d4e5911b85a8ad45c7d678d0d
                                                                                    • Instruction Fuzzy Hash: 9271C030B093458FD3429778D8556AA3BF5AB86700F0680B7E548DF3A7EB28DC06C792
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01569C10 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1252 1569c10-1569c1f 1253 1569c44-1569c6f 1252->1253 1254 1569c21-1569c2b 1252->1254 1259 1569c94-1569d2b GetPrivateProfileStructW * 2 1253->1259 1260 1569c71-1569c7b 1253->1260 1255 1569c40-1569c43 1254->1255 1256 1569c2d-1569c3e 1254->1256 1256->1255 1272 1569d33-1569d6b 1259->1272 1261 1569c90-1569c93 1260->1261 1262 1569c7d-1569c8e 1260->1262 1262->1261
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 01569CE8
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 01569D26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: f96f756b5b34fe575c8851ae66a1083bab8dd6c229d10eefcd0e44de36d94f5c
                                                                                    • Instruction ID: e1c2c588429b325fd3bb578918a8b6d16686188e8f7f4f579d2d8d30a7305f76
                                                                                    • Opcode Fuzzy Hash: f96f756b5b34fe575c8851ae66a1083bab8dd6c229d10eefcd0e44de36d94f5c
                                                                                    • Instruction Fuzzy Hash: 12310670B043098FCB55EB78C8556AE77F5AF84248B1184BAD208DB366EB34CC02CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0156AEE8 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1277 156aee8-156aef0 1278 156af17-156af80 call 156ac20 1277->1278 1279 156aef2-156aef4 1277->1279 1295 156af82-156afb7 1278->1295 1296 156afbf-156afcd GetPrivateProfileStructW 1278->1296 1280 156aef6-156aef8 1279->1280 1281 156aefa-156af00 1279->1281 1280->1281 1282 156af02-156af05 1280->1282 1284 156af13-156af16 1281->1284 1285 156af07-156af09 1282->1285 1286 156af0b-156af0c 1282->1286 1285->1284 1286->1284 1295->1296 1298 156afd5-156afed 1296->1298 1301 156b000-156b00b GetPrivateProfileStructW 1298->1301 1302 156b013-156b04b 1301->1302
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 0156AFC8
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 0156B006
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: d3c9925b45f644619d0de0c69879a5c2fef03f3c9f0a3c5c3c64f8abf600e0b2
                                                                                    • Instruction ID: 9f3b84ef13a4f9b0e044bf0b8822b05796e6e4f162088e62b837a18df4dea078
                                                                                    • Opcode Fuzzy Hash: d3c9925b45f644619d0de0c69879a5c2fef03f3c9f0a3c5c3c64f8abf600e0b2
                                                                                    • Instruction Fuzzy Hash: C031D674B002099FCB54EBB8C8516AEB7F6FFC4254B108469D61AEB355EF349C028BD2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01569D80 Relevance: 3.1, APIs: 2, Instructions: 78COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1306 1569d80-1569d8f 1307 1569db4-1569dcd 1306->1307 1308 1569d91-1569d9b 1306->1308 1313 1569dcf-1569e4b GetPrivateProfileStructW * 2 1307->1313 1314 1569d6b 1307->1314 1311 1569db0-1569db3 1308->1311 1312 1569d9c-1569dae 1308->1312 1312->1311 1322 1569e53-1569e8b 1313->1322
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 01569E08
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 01569E46
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: d32fb1fca98e41b35e2bcc790040bd0547a61bf288ee5d96e3c434a0df27031a
                                                                                    • Instruction ID: b8b7e7a009d08e1f7d409034c13949a9b148bcfe004905546faa1a1b8f330b44
                                                                                    • Opcode Fuzzy Hash: d32fb1fca98e41b35e2bcc790040bd0547a61bf288ee5d96e3c434a0df27031a
                                                                                    • Instruction Fuzzy Hash: 8821B570B042498FCB41EB7CC815ABF77F5AF89248B1484B6D608DB356EB34DC028B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 015672F8 Relevance: 3.1, APIs: 2, Instructions: 61COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1327 15672f8-1567305 1328 1567307-156732f 1327->1328 1329 15672a3-15672ac 1327->1329 1331 1567337-1567345 GetPrivateProfileStructW 1328->1331 1332 156734d-1567365 1331->1332 1335 1567378-1567383 GetPrivateProfileStructW 1332->1335 1336 156738b-15673c3 1335->1336
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 01567340
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 0156737E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: bf1b06f37e4e33300da80360d58b9560591b0102321e2be522912042e86014d4
                                                                                    • Instruction ID: 374bd431bd5d54337a984a6aa2d1f1ff4feda2ee18ce661b5c02d011c2b89f2b
                                                                                    • Opcode Fuzzy Hash: bf1b06f37e4e33300da80360d58b9560591b0102321e2be522912042e86014d4
                                                                                    • Instruction Fuzzy Hash: 5611D075F002188F8F40EFB8D845AAEB7F5FF88254700846AD619E7355EB3499028B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01567308 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1340 1567308-1567383 GetPrivateProfileStructW * 2 1347 156738b-15673c3 1340->1347
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 01567340
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 0156737E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: 8fa4b7eb732d64eece5cd9e17c7c309d5dbf6814986b1bc735e192e5e6812190
                                                                                    • Instruction ID: 6c1ece5f33456f3d52357823149738c0dd98eb90583c248a3f1b454415b5efb7
                                                                                    • Opcode Fuzzy Hash: 8fa4b7eb732d64eece5cd9e17c7c309d5dbf6814986b1bc735e192e5e6812190
                                                                                    • Instruction Fuzzy Hash: 64118E70F002198F8F40EBB8C855AAEB7F6FF882907008469D619E7354EF349D028B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0156AF90 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1351 156af90-156b00b GetPrivateProfileStructW * 2 1358 156b013-156b04b 1351->1358
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 0156AFC8
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 0156B006
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: b35102aee557b548b29b1200a786c760f8667ee6a193457928485d7cb4fd1670
                                                                                    • Instruction ID: be7549d5349beb80596915ac12ac91a0e70d210253530e9b596ab6932b7a44fe
                                                                                    • Opcode Fuzzy Hash: b35102aee557b548b29b1200a786c760f8667ee6a193457928485d7cb4fd1670
                                                                                    • Instruction Fuzzy Hash: C7115E71F0021D8F8B44EBB8D855AAEB7F5FF882507108469D619E7354EF349D028B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01363D50 Relevance: 1.8, APIs: 1, Instructions: 293COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 01364116
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: 4d90cf468932dc53e3fe7d6db94dc906920325b0fc8e87b069266c8de4a96a29
                                                                                    • Instruction ID: 8261d3bc0b438a1e7b6e4511de438891dbccac559a813f6164b8ddb259825c0c
                                                                                    • Opcode Fuzzy Hash: 4d90cf468932dc53e3fe7d6db94dc906920325b0fc8e87b069266c8de4a96a29
                                                                                    • Instruction Fuzzy Hash: E3B19C74B007068FDB08EF79C48466EBBF6FF88208B108A2DD55ADB755DB34E8158B90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0156EDB8 Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DosPathToSessionPathW.KERNEL32 ref: 0156EEC4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: Path$Session
                                                                                    • String ID:
                                                                                    • API String ID: 826575967-0
                                                                                    • Opcode ID: 1bde9f2d472d1f3971ff1273e7641cb5eb03e8db21561dd56fabd7135ddb437e
                                                                                    • Instruction ID: ed69e61aa783c1883a20b19d52ff1d9b721344546dc40ee4c18a043a55672b4e
                                                                                    • Opcode Fuzzy Hash: 1bde9f2d472d1f3971ff1273e7641cb5eb03e8db21561dd56fabd7135ddb437e
                                                                                    • Instruction Fuzzy Hash: 1471F834B050098FFF35AABCD45476E75AEE788344F10843AE10ACB786CE28CC5087E2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0156EDC8 Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DosPathToSessionPathW.KERNEL32 ref: 0156EEC4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: Path$Session
                                                                                    • String ID:
                                                                                    • API String ID: 826575967-0
                                                                                    • Opcode ID: c8d064842dfc7c5940836d754d7a28a633ba70375313c61cb8cf5e7afb15cf66
                                                                                    • Instruction ID: 2deca6282b906f3ae7a60ce2cd7298d3a8f302543e512661c2369550b10d948c
                                                                                    • Opcode Fuzzy Hash: c8d064842dfc7c5940836d754d7a28a633ba70375313c61cb8cf5e7afb15cf66
                                                                                    • Instruction Fuzzy Hash: 9861B634B010198FFF35AABCD45476E759EE788354F20853AE21ACB785CE69CC5147E2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01365030 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 31f0d5c7475bb4ea178b580fd1bb542656a3ce9cc1f238fc558cb62742911fb0
                                                                                    • Instruction ID: 59e396835a5b186fe5dd647c13954c2082f8a672b90729059ecadf0006503547
                                                                                    • Opcode Fuzzy Hash: 31f0d5c7475bb4ea178b580fd1bb542656a3ce9cc1f238fc558cb62742911fb0
                                                                                    • Instruction Fuzzy Hash: 12510FB1C00249EFDF16CFA9C980ADDBFB5BF48354F14816AE908AB220D7759985CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01365090 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013651A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 751c8fededbab009e559379946eaf96e35b87474b837c84feef02927317b5481
                                                                                    • Instruction ID: f714c54bc6b722ee348ade675d1701d9c1c61b64beb225ef6878f600879ebe53
                                                                                    • Opcode Fuzzy Hash: 751c8fededbab009e559379946eaf96e35b87474b837c84feef02927317b5481
                                                                                    • Instruction Fuzzy Hash: 5041CDB1D00249DFDF14CFAAD884ADEBFB5BF88354F24812AE819AB210D7749845CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01568A50 Relevance: 1.6, APIs: 1, Instructions: 107registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 01568B54
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: Open
                                                                                    • String ID:
                                                                                    • API String ID: 71445658-0
                                                                                    • Opcode ID: 3be244278628a065bf076cdffd613faeb62904b0f131f3c83e1be60e30074a1e
                                                                                    • Instruction ID: 94b64bd3797a9ad02f21ab69d8fc074b51d37745b63413badf8f31432ce83994
                                                                                    • Opcode Fuzzy Hash: 3be244278628a065bf076cdffd613faeb62904b0f131f3c83e1be60e30074a1e
                                                                                    • Instruction Fuzzy Hash: 624123B09003498FDB00CF99C588B9EFBF9BB49314F29C16AE909AB351C7759845CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0136779C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 01367F01
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallProcWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2714655100-0
                                                                                    • Opcode ID: 4fee006f732c326a83b3e7e420ce3767b2a83ecc4e06b5ad8d197c7f4d3e3cd4
                                                                                    • Instruction ID: b9982c9a4648cd94da1553c9a20b771e350471f5a9eefbc53265e80c28388a48
                                                                                    • Opcode Fuzzy Hash: 4fee006f732c326a83b3e7e420ce3767b2a83ecc4e06b5ad8d197c7f4d3e3cd4
                                                                                    • Instruction Fuzzy Hash: 14414CB5900205CFDB14CF99C448B9ABBF9FF88328F14C459E519AB325D734A845CFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01568CFD Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 01568DC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: QueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3660427363-0
                                                                                    • Opcode ID: 31c28b451ae9b202f207944269c96490c16a942f7b8cd6c26a8236b1019055ff
                                                                                    • Instruction ID: 5b2106c834f9e29d39c487ad21e735c929a9591fdd1c02651175b23727ee7ad8
                                                                                    • Opcode Fuzzy Hash: 31c28b451ae9b202f207944269c96490c16a942f7b8cd6c26a8236b1019055ff
                                                                                    • Instruction Fuzzy Hash: 6B31EEB1D00259DFDB20CFAAC984A9EBFF5BF48310F15842AE819AB210D7749945CFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01568D08 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 01568DC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: QueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3660427363-0
                                                                                    • Opcode ID: 8b501139bd6785bbcefd1c9c011150c0d44f73e97c8ed7baf453781e03302466
                                                                                    • Instruction ID: b7f805b84125c69163f1624dbac9e7ebf912c0a47a6b39a50781c99198e4ec0c
                                                                                    • Opcode Fuzzy Hash: 8b501139bd6785bbcefd1c9c011150c0d44f73e97c8ed7baf453781e03302466
                                                                                    • Instruction Fuzzy Hash: 8831BEB1D00259DFDB10CF9AD984A9EFFF9BF48310F55842AE819AB210D7749945CFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01366B63 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01366BEF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 256c573744a838040a25acf40830bb1e2dbd52c6a614d233a4bec30e805e828c
                                                                                    • Instruction ID: 0f1308f72a6272fa840b93c8f33a821146e0aebf88c2863df620f47978376ea7
                                                                                    • Opcode Fuzzy Hash: 256c573744a838040a25acf40830bb1e2dbd52c6a614d233a4bec30e805e828c
                                                                                    • Instruction Fuzzy Hash: 7021E4B5900248EFDB10CF9AD984BDEBFF8EB48324F14842AE955A3310D374A944CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01366B68 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01366BEF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: b95720f19559d6f5ed848b39af832d5af77401de3cee8c8da5a0b6443128f733
                                                                                    • Instruction ID: 7adbe1d28ea59b5c4c2792a6e065e48c1e4ec7379d327553a03e05c852eba36d
                                                                                    • Opcode Fuzzy Hash: b95720f19559d6f5ed848b39af832d5af77401de3cee8c8da5a0b6443128f733
                                                                                    • Instruction Fuzzy Hash: 9121C4B5900249DFDB10CF9AD584ADEBFF8EB48324F14842AE955A7310D374A954CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0136BE69 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 0136BEF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: EncodePointer
                                                                                    • String ID:
                                                                                    • API String ID: 2118026453-0
                                                                                    • Opcode ID: d0b0050302e44eead6dd2c2d15b739c77245abb780db84803e6467d38966af6e
                                                                                    • Instruction ID: 52a53383de37514b4ad460b2e7d188ceefd919058989be749caa732b7fdc7493
                                                                                    • Opcode Fuzzy Hash: d0b0050302e44eead6dd2c2d15b739c77245abb780db84803e6467d38966af6e
                                                                                    • Instruction Fuzzy Hash: 56219DB690434A8FDB10DFA9D5493DEBFF8EB08328F14842AE449E7645C7395544CF61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01576744 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,01577999,00000800), ref: 01577A2A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.518031450.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1570000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: bd972776f69a45620e08b014afc4ac35046c34100a532e4b721ef3fe44490b0b
                                                                                    • Instruction ID: 7b217f0f7b9b9b87f984f20352efeb86d5cb0638cda90fd5a6a70e8287b88b22
                                                                                    • Opcode Fuzzy Hash: bd972776f69a45620e08b014afc4ac35046c34100a532e4b721ef3fe44490b0b
                                                                                    • Instruction Fuzzy Hash: E01106B59002499FDB10DF9AE448BDEBBF4EB88310F04842EE515A7200C375A545CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0136BE78 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 0136BEF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: EncodePointer
                                                                                    • String ID:
                                                                                    • API String ID: 2118026453-0
                                                                                    • Opcode ID: 96a1949882e51c81ddc8144a6b0c7e52437b0f5d0817650cfb3db0c679125832
                                                                                    • Instruction ID: 09becf2f565b5aa216153127f30fb055996dcf4c3471f4ea13ebe6420d91f47f
                                                                                    • Opcode Fuzzy Hash: 96a1949882e51c81ddc8144a6b0c7e52437b0f5d0817650cfb3db0c679125832
                                                                                    • Instruction Fuzzy Hash: C3116AB1A003498FDB10DFAAD54979EBFF8EB48328F148429E449E7645C739A944CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 015779B9 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,01577999,00000800), ref: 01577A2A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.518031450.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1570000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: 7d5a893d5d3cdd22dfc07049ddedbc16bb4634a51f330a3c3a85216a0eb548f7
                                                                                    • Instruction ID: 1b4ef85ea428bad20e18416c315b27531a7053c7e1f74678286cd2f9098f5c03
                                                                                    • Opcode Fuzzy Hash: 7d5a893d5d3cdd22dfc07049ddedbc16bb4634a51f330a3c3a85216a0eb548f7
                                                                                    • Instruction Fuzzy Hash: 6F1106B69002499FDB10CFAAE444BDEFFF4AB88314F14856ED456A7200C375A545CFA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01364080 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 01364116
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: c4b080cd6ea807835a16dda1f3edc7681001d779c924a346c00052efcd9aa417
                                                                                    • Instruction ID: fedc264981a694109e7fefad266aa21ab233f783a3c8eb8d6e6a46760883db2a
                                                                                    • Opcode Fuzzy Hash: c4b080cd6ea807835a16dda1f3edc7681001d779c924a346c00052efcd9aa417
                                                                                    • Instruction Fuzzy Hash: BB11EEB6D006498BDB14CF9AC44478EFBF4EF88228F24C56AC459A7214D339A5468FA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01363300 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 01364116
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: 110addf330567c346b4829a45ad673db848e2967eaf25bea34ab3d59cf1c12cd
                                                                                    • Instruction ID: 44d03960304ebe7983eaa41dc79ddde4367dfa2e6b1f8547d6f84a6ab107a147
                                                                                    • Opcode Fuzzy Hash: 110addf330567c346b4829a45ad673db848e2967eaf25bea34ab3d59cf1c12cd
                                                                                    • Instruction Fuzzy Hash: F21132B5D00649CFDB10DF9AD444BDEFBF8EB89224F00802AD829B7200C379A545CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 013640AB Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 01364116
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517755778.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1360000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: bcd8c51237819bff4dc9efe60cedf38ca47d4897ccfe06250f1a21cff41e032d
                                                                                    • Instruction ID: 16f261cf0711c2c43ab17951428530cbeb9d84c089ab8846449c7ba53e9caacb
                                                                                    • Opcode Fuzzy Hash: bcd8c51237819bff4dc9efe60cedf38ca47d4897ccfe06250f1a21cff41e032d
                                                                                    • Instruction Fuzzy Hash: CF1113B6D006498FDB10CF9AC444BDEFBF8EF88224F15842AD859B7200C379A545CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0157B3F8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OleInitialize.OLE32(00000000), ref: 0157B455
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.518031450.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1570000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize
                                                                                    • String ID:
                                                                                    • API String ID: 2538663250-0
                                                                                    • Opcode ID: 00a6e52c80cea79b046094f2b0a8bef9ef30e3870ba38159ce4ac7239b2eeef4
                                                                                    • Instruction ID: 7b483af11f2a16f62db85ef0c404bda02264422ea803437d934e8058284701c6
                                                                                    • Opcode Fuzzy Hash: 00a6e52c80cea79b046094f2b0a8bef9ef30e3870ba38159ce4ac7239b2eeef4
                                                                                    • Instruction Fuzzy Hash: D11145B1900689CFDB10CF99D445BCEBBF4AF48324F14841AE519A7600C378A944CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0157A540 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OleInitialize.OLE32(00000000), ref: 0157B455
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.518031450.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1570000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize
                                                                                    • String ID:
                                                                                    • API String ID: 2538663250-0
                                                                                    • Opcode ID: 2382ffe9b54fcc01d9bdb47a2c3f1db154293d4ebe7ef7822ef2bb22deb88920
                                                                                    • Instruction ID: 42c02dbac83b34cac6439db4c61ed88d1e8d409d516001f6f780aff4a9760800
                                                                                    • Opcode Fuzzy Hash: 2382ffe9b54fcc01d9bdb47a2c3f1db154293d4ebe7ef7822ef2bb22deb88920
                                                                                    • Instruction Fuzzy Hash: 2B1145B0800648CFDB10DF9AD449BDEBBF8EB48324F108469E519A7300C374A944CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01569D0F Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 01569D26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: 7f05ab23d7a3be7383e4594f4233504ae53ca43a4b2c9dc5b11b3d888c86da12
                                                                                    • Instruction ID: 8ca92c399b8361eb42e2d4dcebba4f8ab9d74e99dd572b18c38b22b2730e81f7
                                                                                    • Opcode Fuzzy Hash: 7f05ab23d7a3be7383e4594f4233504ae53ca43a4b2c9dc5b11b3d888c86da12
                                                                                    • Instruction Fuzzy Hash: 55E06D35B0001D8B8F04EBB8D8465ADB3F1BFC8254B014061E60AE7365EE389C018790
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0156E137 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 0156E14E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: 75abee5d66a9795d3f4a24937ece9aa8aa442a29e5258bbb648c336300d99947
                                                                                    • Instruction ID: e06ac71f617c2ef4339479dbf9bba44a1f3bdf8cc5e47612268c9791bd0913e3
                                                                                    • Opcode Fuzzy Hash: 75abee5d66a9795d3f4a24937ece9aa8aa442a29e5258bbb648c336300d99947
                                                                                    • Instruction Fuzzy Hash: 90E0ED36B0011D8B8F45FBB8D8559EEB3F1FFC8250B018465E61AE7365EE389C019B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01567367 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 0156737E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: 672a1c1518d4e1e963b9361480efbe6bc0068aca995d1271416de33375707671
                                                                                    • Instruction ID: 09c228d5ac01badc0d9e5a5a93e413b65e2d2edd7d85bc34e9d9e0ed063a6ab1
                                                                                    • Opcode Fuzzy Hash: 672a1c1518d4e1e963b9361480efbe6bc0068aca995d1271416de33375707671
                                                                                    • Instruction Fuzzy Hash: 7DE01235B0011D8B8F44FBB8D8559EDB3F1BFC86547018465EA1AE7365EF389C0297A1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0156AFEF Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 0156B006
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: 3ecd534a216c327a797ed40119aa425220deeb5338b7fe5c0ae647cf5e23881b
                                                                                    • Instruction ID: f26cd20f05b997f7820f2459422569def9288e7afd23baf25cbc1e9ced95fc85
                                                                                    • Opcode Fuzzy Hash: 3ecd534a216c327a797ed40119aa425220deeb5338b7fe5c0ae647cf5e23881b
                                                                                    • Instruction Fuzzy Hash: 25E06D35B0011C8B8F04EBB8D8459AEB3F1BFC82607014065E61AE7365EE389C018761
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01569E2F Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 01569E46
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: c5fbedbe4cb7151e421e9f8af770fec8bf0272e1f1d9168eec949412b37095f1
                                                                                    • Instruction ID: 52be00e532815011a1f6f27dc52e7142b82872a641b96b455d05f4c57c07cfd0
                                                                                    • Opcode Fuzzy Hash: c5fbedbe4cb7151e421e9f8af770fec8bf0272e1f1d9168eec949412b37095f1
                                                                                    • Instruction Fuzzy Hash: FAE0ED35B0011D8F8F44EBB8D8555EDB3F1BFC8254B018465E61AE7365EE389C019B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 015686CF Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileStructW.KERNEL32 ref: 015686E6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.517956285.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_1560000_MSBuild.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStruct
                                                                                    • String ID:
                                                                                    • API String ID: 1702260739-0
                                                                                    • Opcode ID: 71d06848edd705db322fe15a913afbe6eec60714070102fe4dd0a0862f6d5317
                                                                                    • Instruction ID: 7c18254cc8403483f64ea49dca1cb7da5c68be21df883d243b4692ac1d339072
                                                                                    • Opcode Fuzzy Hash: 71d06848edd705db322fe15a913afbe6eec60714070102fe4dd0a0862f6d5317
                                                                                    • Instruction Fuzzy Hash: 66E06D35B0011C8B8F04EBB8D8559ADB3F1BFC82507014065E60AE7365EE289C028790
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%