Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL #109#.exe

Overview

General Information

Sample Name:DHL #109#.exe
Analysis ID:798306
MD5:eb529efe16b4f7171fc8c4e132ce0c60
SHA1:57847e14c4e9b3d11d03bec969b1c79c34c1d434
SHA256:445ee45f82c11bdaaeef1a816c54d537307aff9cb575acfbc214eca86231e133
Tags:DHLexe
Infos:

Detection

Predator
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Antivirus detection for URL or domain
Yara detected Predator
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large strings
Machine Learning detection for dropped file
Moves itself to temp directory
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • DHL #109#.exe (PID: 3076 cmdline: C:\Users\user\Desktop\DHL #109#.exe MD5: EB529EFE16B4F7171FC8C4E132CE0C60)
    • schtasks.exe (PID: 3664 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp6F29.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL #109#.exe (PID: 4016 cmdline: {path} MD5: EB529EFE16B4F7171FC8C4E132CE0C60)
      • Zip.exe (PID: 2944 cmdline: "C:\Users\user\AppData\Local\Temp\Zip.exe" MD5: AF07E88EC22CC90CEBFDA29517F101B9)
  • SDGUedyFqQlpw.exe (PID: 3396 cmdline: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe MD5: EB529EFE16B4F7171FC8C4E132CE0C60)
    • schtasks.exe (PID: 4684 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp85AA.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • update_230310.exe (PID: 4652 cmdline: "C:\Users\user\AppData\Local\Temp\update_230310.exe" / start MD5: EB529EFE16B4F7171FC8C4E132CE0C60)
  • update_230310.exe (PID: 6088 cmdline: "C:\Users\user\AppData\Local\Temp\update_230310.exe" / start MD5: EB529EFE16B4F7171FC8C4E132CE0C60)
    • WerFault.exe (PID: 4576 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 1432 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • update_230310.exe (PID: 4012 cmdline: "C:\Users\user\AppData\Local\Temp\update_230310.exe" / start MD5: EB529EFE16B4F7171FC8C4E132CE0C60)
  • update_230310.exe (PID: 5296 cmdline: "C:\Users\user\AppData\Local\Temp\update_230310.exe" / start MD5: EB529EFE16B4F7171FC8C4E132CE0C60)
    • WerFault.exe (PID: 5644 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 1428 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Zip.exeWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
  • 0x12e5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.601389886.0000000002C1E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PredatorYara detected PredatorJoe Security
      00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
        • 0xe1cf5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
        00000003.00000002.590990822.0000000000466000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
        • 0xdcd:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.0.Zip.exe.14b55360000.0.unpackWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
        • 0x12e5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
        26.2.SDGUedyFqQlpw.exe.400000.2.unpackINDICATOR_SUSPICIOUS_EXE_References_VPNDetects executables referencing many VPN software clients. Observed in infosteslersditekSHen
        • 0x7d546:$s1: \Vpn\NordVPN
        • 0x80cb0:$s2: \VPN\OpenVPN
        • 0x80d1e:$s3: \VPN\ProtonVPN
        26.2.SDGUedyFqQlpw.exe.30aef00.3.raw.unpackWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
        • 0x12e5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
        0.2.DHL #109#.exe.3a8ba10.4.raw.unpackJoeSecurity_PredatorYara detected PredatorJoe Security
          0.2.DHL #109#.exe.3a8ba10.4.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            Click to see the 54 entries

            Sigma Signatures

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp6F29.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp6F29.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\DHL #109#.exe, ParentImage: C:\Users\user\Desktop\DHL #109#.exe, ParentProcessId: 3076, ParentProcessName: DHL #109#.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp6F29.tmp, ProcessId: 3664, ProcessName: schtasks.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: DHL #109#.exeReversingLabs: Detection: 21%
            Source: DHL #109#.exeVirustotal: Detection: 37%Perma Link
            Antivirus detection for URL or domain
            Source: http://bblaccessories.com/webpanelAvira URL Cloud: Label: malware
            Yara detected Predator
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a8ba10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558810.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a27b28.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3dbac13.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3c97ff0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a27b28.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a2812b.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3be9bd0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558810.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.44aa3f0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558e13.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL #109#.exe PID: 3076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL #109#.exe PID: 4016, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SDGUedyFqQlpw.exe PID: 3396, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SDGUedyFqQlpw.exe PID: 1576, type: MEMORYSTR
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeAvira: detection malicious, Label: TR/Redcap.vxffz
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeReversingLabs: Detection: 76%
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeReversingLabs: Detection: 21%
            Machine Learning detection for sample
            Source: DHL #109#.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeJoe Sandbox ML: detected
            Source: DHL #109#.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: DHL #109#.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Core.ni.pdbRSDSD source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: (Pon0C:\Windows\EOFmqeF.pdbpdbqeF.pdb6 source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb03fTp source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Accessibility.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Windows.Forms.pdbMZ@ source: WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Xml.pdb\ source: WER8AB0.tmp.dmp.21.dr
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\update_230310.PDB source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\update_230310.PDBo source: update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: (PonPC:\Windows\System.Runtime.Remoting.pdb source: SDGUedyFqQlpw.exe, 00000004.00000002.589351882.0000000008E0C000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\update_230310.PDB source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: symbols\exe\EOFmqeF.pdbE source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.pdbMZ source: WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Runtime.Remoting.pdbMZ@ source: WERAC41.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \gom_v_4.0\update_windows10\update_windows10\obj\Debug\update_windows10.pdb source: DHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000002.363079133.0000000002881000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.590897146.0000000000484000.00000040.00000400.00020000.00000000.sdmp
            Source: Binary string: System.Core.ni.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: Microsoft.VisualBasic.pdbSystem.Runtime.Remoting.dllSystem.Runtime.Remoting.dll source: WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Windows.Forms.pdb`B source: WER8AB0.tmp.dmp.21.dr
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\EOFmqeF.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: znC:\Users\user\AppData\Local\Temp\EOFmqeF.pdbosoft.VisualBasic\v4.0_10.0.0.0__b03f5fF6 source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: 11d50a3a\Microsoft.VisualBasic.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \gom_v_4.0\Zip\Zip\obj\Debug\Zip.pdb source: DHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.590990822.000000000046A000.00000040.00000400.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000000.406009010.0000014B55368000.00000002.00000001.01000000.0000000A.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.000000000309F000.00000004.00000800.00020000.00000000.sdmp, Zip.exe.3.dr
            Source: Binary string: EOFmqeF.pdbOFmqeF.pdbpdbqeF.pdbEOFmqeF.pdb5563209-4053062332-1002 source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp, update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\EOFmqeF.pdb source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp, update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\EOFmqeF.pdbhq source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\exe\EOFmqeF.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: .pdby source: SDGUedyFqQlpw.exe, 00000004.00000002.589351882.0000000008E0C000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: (Pon0C:\Windows\EOFmqeF.pdbpdbqeF.pdb source: update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: .pdb0 source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp, update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: EOFmqeF.pdb source: DHL #109#.exe, WER8AB0.tmp.dmp.21.dr, SDGUedyFqQlpw.exe.0.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: C:\Windows\EOFmqeF.pdbpdbqeF.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb`B source: WER8AB0.tmp.dmp.21.dr
            Source: Binary string: znC:\Users\user\AppData\Local\Temp\EOFmqeF.pdbosoft.VisualBasic\v4.0_10.0.0.0__b03f5fF source: update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\EOFmqeF.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\EOFmqeF.pdb6 source: update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Configuration.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\System.pdb source: SDGUedyFqQlpw.exe, 00000004.00000003.486034018.0000000008FFA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: symbols\dll\System.Runtime.Remoting.pdb source: SDGUedyFqQlpw.exe, 00000004.00000002.589351882.0000000008E0C000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: Accessibility.pdb4: source: WER8AB0.tmp.dmp.21.dr
            Source: Binary string: System.Xml.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: o.pdb source: update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: DHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004201000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.590897146.0000000000461000.00000040.00000400.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000045BE000.00000004.00000800.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll0.3.dr
            Source: Binary string: C:\Users\user\AppData\Local\Temp\EOFmqeF.pdb66 source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: EOFmqeF.pdbSHA256t source: DHL #109#.exe, WER8AB0.tmp.dmp.21.dr, SDGUedyFqQlpw.exe.0.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Xml.pdbH source: WERAC41.tmp.dmp.23.dr
            Source: Binary string: mscorlib.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.pdb8) source: WER8AB0.tmp.dmp.21.dr
            Source: Binary string: System.Drawing.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Core.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Core.pdbMZ source: WER8AB0.tmp.dmp.21.dr
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: osymbols\exe\EOFmqeF.pdbE source: update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\exe\EOFmqeF.pdb= source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: .pdb@ source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr

            Networking

            barindex
            May check the online IP address of the machine
            Source: C:\Users\user\Desktop\DHL #109#.exeDNS query: name: ip-api.com
            Source: C:\Users\user\Desktop\DHL #109#.exeDNS query: name: ip-api.com
            Source: C:\Users\user\Desktop\DHL #109#.exeDNS query: name: ip-api.com
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeDNS query: name: ip-api.com
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeDNS query: name: ip-api.com
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeDNS query: name: ip-api.com
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeDNS query: name: ip-api.com
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeDNS query: name: ip-api.com
            Yara detected Generic Downloader
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a8ba10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a27b28.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3dbac13.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3c97ff0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a2812b.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3be9bd0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558810.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.44aa3f0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558e13.3.raw.unpack, type: UNPACKEDPE
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: SDGUedyFqQlpw.exe, 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bblaccessories.com/webpanel
            Source: DHL #109#.exe, 00000000.00000003.317732879.0000000005A02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wikip
            Source: DHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.000000000419F000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.590990822.0000000000464000.00000040.00000400.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000045C1000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.590897146.0000000000461000.00000040.00000400.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004622000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004625000.00000004.00000800.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll0.3.drString found in binary or memory: http://expression/newtonsoft.json.dll
            Source: DHL #109#.exe, 00000000.00000003.318460569.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.318382526.0000000005A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: update_230310.exe, 0000000B.00000002.458348039.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, update_230310.exe, 00000014.00000002.478611813.00000000026D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo.com/foo
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B5718F000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B571AA000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B571D2000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B571DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
            Source: DHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B571AA000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000000.405942498.0000014B55362000.00000002.00000001.01000000.0000000A.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B57111000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B571DE000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.590897146.000000000047F000.00000040.00000400.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.590897146.0000000000467000.00000040.00000400.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.000000000309F000.00000004.00000800.00020000.00000000.sdmp, Zip.exe.3.drString found in binary or memory: http://ip-api.com/json/
            Source: SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.0000000002FD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com4Dp
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002BB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com4Dp8
            Source: Zip.exe, 00000005.00000002.494978051.0000014B571AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com8
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002FFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.comD8Dp4
            Source: Zip.exe, 00000005.00000002.494978051.0000014B5718F000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B571DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.comx
            Source: Newtonsoft.Json.dll0.3.drString found in binary or memory: http://james.newtonking.com/projects/json
            Source: SDGUedyFqQlpw.exe, 0000001A.00000002.645437394.000000000798A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1
            Source: DHL #109#.exe, 00000003.00000002.647285236.000000000788C000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.438266278.000000000788F000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.400369407.000000000787B000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.437944666.0000000007891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1k
            Source: SDGUedyFqQlpw.exe, 0000001A.00000002.645437394.000000000798A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
            Source: DHL #109#.exe, 00000003.00000002.647285236.000000000788C000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.438266278.000000000788F000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.400369407.000000000787B000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.437944666.0000000007891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/gk
            Source: SDGUedyFqQlpw.exe, 0000001A.00000002.645437394.000000000798A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cobj
            Source: DHL #109#.exe, 00000003.00000002.647285236.000000000788C000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.438266278.000000000788F000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.400369407.000000000787B000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.437944666.0000000007891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cobjk
            Source: DHL #109#.exe, 00000000.00000002.363079133.0000000002881000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B57111000.00000004.00000800.00020000.00000000.sdmp, update_230310.exe, 0000000B.00000002.458348039.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, update_230310.exe, 00000014.00000002.478611813.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: DHL #109#.exe, SDGUedyFqQlpw.exe.0.drString found in binary or memory: http://teamwiki.de/twiki/vb_tool.php)MSXML2.ServerXMLHTTP
            Source: Amcache.hve.21.drString found in binary or memory: http://upx.sf.net
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.321783957.0000000005A09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: DHL #109#.exe, 00000000.00000003.323381300.0000000005A04000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.322676068.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.323305799.0000000005A02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: DHL #109#.exe, 00000000.00000003.323381300.0000000005A04000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.322676068.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.323305799.0000000005A02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comC
            Source: DHL #109#.exe, 00000000.00000003.323381300.0000000005A04000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.322676068.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.323305799.0000000005A02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: DHL #109#.exe, 00000000.00000002.362907181.0000000000FB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commita9
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: DHL #109#.exe, 00000000.00000003.318014020.0000000000FBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com;
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.320597559.0000000005A11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: DHL #109#.exe, 00000000.00000003.320597559.0000000005A11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnP
            Source: DHL #109#.exe, 00000000.00000003.320634552.0000000005A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnht/
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: DHL #109#.exe, 00000000.00000003.317237807.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316497484.0000000005A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: DHL #109#.exe, 00000000.00000003.317779300.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.317934427.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316786310.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316605273.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.317654836.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316945169.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316854752.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.317881321.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316636779.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316561265.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316977271.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.317065111.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.317237807.0000000005A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com2
            Source: DHL #109#.exe, 00000000.00000003.316484548.0000000000FBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.coml
            Source: DHL #109#.exe, 00000000.00000003.316484548.0000000000FBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comrow
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: DHL #109#.exe, 00000000.00000003.320522721.0000000005A04000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.320634552.0000000005A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kru
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: DHL #109#.exe, 00000000.00000003.321783957.0000000005A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue
            Source: SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: DHL #109#.exe, 00000003.00000002.615393541.0000000004375000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.000000000434D000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042C3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004392000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004308000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000047AF000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004725000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004792000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: DHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B57209000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.590897146.000000000047F000.00000040.00000400.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.000000000309F000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.0000000003086000.00000004.00000800.00020000.00000000.sdmp, info.txt.3.drString found in binary or memory: https://gomorrah.pw
            Source: DHL #109#.exe, SDGUedyFqQlpw.exe.0.drString found in binary or memory: https://max-weller.de
            Source: DHL #109#.exe, 00000003.00000002.615393541.0000000004375000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.000000000434D000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042C3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004392000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004308000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000047AF000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004725000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004792000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
            Source: DHL #109#.exe, 00000003.00000002.615393541.0000000004375000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.000000000434D000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042C3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004392000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004308000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000047AF000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004725000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004792000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
            Source: DHL #109#.exe, 00000003.00000002.615393541.000000000434D000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042C3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004392000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004308000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000047AF000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004725000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
            Source: DHL #109#.exe, 00000003.00000002.615393541.0000000004375000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.000000000434D000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042C3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004392000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004308000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000047AF000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004725000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004792000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
            Source: DHL #109#.exe, 00000003.00000002.615393541.0000000004375000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.000000000434D000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042C3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004392000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004308000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000047AF000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004725000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004792000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: unknownDNS traffic detected: queries for: ip-api.com
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: DHL #109#.exe, 00000000.00000002.361918826.0000000000D29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud

            barindex
            Yara detected Predator
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a8ba10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558810.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a27b28.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3dbac13.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3c97ff0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a27b28.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a2812b.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3be9bd0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558810.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.44aa3f0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558e13.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL #109#.exe PID: 3076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL #109#.exe PID: 4016, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SDGUedyFqQlpw.exe PID: 3396, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SDGUedyFqQlpw.exe PID: 1576, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 5.0.Zip.exe.14b55360000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 26.2.SDGUedyFqQlpw.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
            Source: 26.2.SDGUedyFqQlpw.exe.30aef00.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 0.2.DHL #109#.exe.3a8ba10.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
            Source: 0.2.DHL #109#.exe.3a8ba10.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 4.2.SDGUedyFqQlpw.exe.31812d4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
            Source: 0.2.DHL #109#.exe.28b64c4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
            Source: 4.2.SDGUedyFqQlpw.exe.4558810.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
            Source: 4.2.SDGUedyFqQlpw.exe.4558810.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 3.2.DHL #109#.exe.2c59d24.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 0.2.DHL #109#.exe.3a27b28.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
            Source: 0.2.DHL #109#.exe.3a27b28.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 0.2.DHL #109#.exe.3dbac13.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
            Source: 0.2.DHL #109#.exe.3dbac13.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 0.2.DHL #109#.exe.3c97ff0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
            Source: 0.2.DHL #109#.exe.3c97ff0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 0.2.DHL #109#.exe.3a27b28.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
            Source: 0.2.DHL #109#.exe.3a27b28.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 0.2.DHL #109#.exe.3a2812b.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
            Source: 0.2.DHL #109#.exe.3a2812b.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 0.2.DHL #109#.exe.3be9bd0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
            Source: 0.2.DHL #109#.exe.3be9bd0.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 4.2.SDGUedyFqQlpw.exe.4558810.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
            Source: 4.2.SDGUedyFqQlpw.exe.4558810.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 4.2.SDGUedyFqQlpw.exe.44aa3f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
            Source: 4.2.SDGUedyFqQlpw.exe.44aa3f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 4.2.SDGUedyFqQlpw.exe.4558e13.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
            Source: 4.2.SDGUedyFqQlpw.exe.4558e13.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 00000003.00000002.590990822.0000000000466000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 0000001A.00000002.603205973.000000000309F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 00000005.00000000.405942498.0000014B55362000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 00000003.00000002.601389886.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            Source: C:\Users\user\AppData\Local\Temp\Zip.exe, type: DROPPEDMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
            .NET source code contains very large strings
            Source: DHL #109#.exe, frm_options.csLong String: Length: 72717
            Source: SDGUedyFqQlpw.exe.0.dr, frm_options.csLong String: Length: 72717
            Source: 0.0.DHL #109#.exe.4d0000.0.unpack, frm_options.csLong String: Length: 72717
            Source: DHL #109#.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 5.0.Zip.exe.14b55360000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 26.2.SDGUedyFqQlpw.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
            Source: 26.2.SDGUedyFqQlpw.exe.30aef00.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 0.2.DHL #109#.exe.3a8ba10.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
            Source: 0.2.DHL #109#.exe.3a8ba10.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 4.2.SDGUedyFqQlpw.exe.31812d4.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
            Source: 0.2.DHL #109#.exe.28b64c4.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
            Source: 4.2.SDGUedyFqQlpw.exe.4558810.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
            Source: 4.2.SDGUedyFqQlpw.exe.4558810.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 3.2.DHL #109#.exe.2c59d24.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 0.2.DHL #109#.exe.3a27b28.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
            Source: 0.2.DHL #109#.exe.3a27b28.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 0.2.DHL #109#.exe.3dbac13.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
            Source: 0.2.DHL #109#.exe.3dbac13.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 0.2.DHL #109#.exe.3c97ff0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
            Source: 0.2.DHL #109#.exe.3c97ff0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 0.2.DHL #109#.exe.3a27b28.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
            Source: 0.2.DHL #109#.exe.3a27b28.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 0.2.DHL #109#.exe.3a2812b.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
            Source: 0.2.DHL #109#.exe.3a2812b.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 0.2.DHL #109#.exe.3be9bd0.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
            Source: 0.2.DHL #109#.exe.3be9bd0.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 4.2.SDGUedyFqQlpw.exe.4558810.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
            Source: 4.2.SDGUedyFqQlpw.exe.4558810.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 4.2.SDGUedyFqQlpw.exe.44aa3f0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
            Source: 4.2.SDGUedyFqQlpw.exe.44aa3f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 4.2.SDGUedyFqQlpw.exe.4558e13.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
            Source: 4.2.SDGUedyFqQlpw.exe.4558e13.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 00000003.00000002.590990822.0000000000466000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 0000001A.00000002.603205973.000000000309F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 00000005.00000000.405942498.0000014B55362000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 00000003.00000002.601389886.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: C:\Users\user\AppData\Local\Temp\Zip.exe, type: DROPPEDMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 1432
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 0_2_00D1C2B00_2_00D1C2B0
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 0_2_00D199680_2_00D19968
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 0_2_053E00060_2_053E0006
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 0_2_053E00400_2_053E0040
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 3_2_00E9DDE83_2_00E9DDE8
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 3_2_00E9DED43_2_00E9DED4
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 3_2_00E9DDA93_2_00E9DDA9
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 3_2_00E9DE283_2_00E9DE28
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 3_2_02A3B29C3_2_02A3B29C
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 3_2_02A3C3103_2_02A3C310
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 3_2_02A3B2903_2_02A3B290
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 3_2_02A3B1F23_2_02A3B1F2
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 3_2_02A399D03_2_02A399D0
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 3_2_02A3DFD03_2_02A3DFD0
            Source: DHL #109#.exe, 00000000.00000002.399292839.0000000008CC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000002.363079133.0000000002914000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZip.exe( vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameupdate_windows10.exeD vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000000.310547701.00000000004D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEOFmqeF.exe6 vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEOFmqeF.exe6 vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZip.exe( vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000002.397532415.0000000007550000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWinForm.dllX vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000002.363079133.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinForm.dllX vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000002.363079133.0000000002881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameupdate_windows10.exeD vs DHL #109#.exe
            Source: DHL #109#.exe, 00000000.00000002.361918826.0000000000D29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.590990822.000000000046A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZip.exe( vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002CB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCustomMarshalers.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.590990822.0000000000486000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameupdate_windows10.exeD vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCustomMarshalers.dllT vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.615393541.000000000413E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEOFmqeF.exe6 vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002C4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZip.exe( vs DHL #109#.exe
            Source: DHL #109#.exe, 00000003.00000002.615393541.0000000003EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEOFmqeF.exe6 vs DHL #109#.exe
            Source: DHL #109#.exeBinary or memory string: OriginalFilenameEOFmqeF.exe6 vs DHL #109#.exe
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeSection loaded: sfc.dll
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeSection loaded: sfc.dll
            Source: DHL #109#.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SDGUedyFqQlpw.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: DHL #109#.exeReversingLabs: Detection: 21%
            Source: DHL #109#.exeVirustotal: Detection: 37%
            Source: C:\Users\user\Desktop\DHL #109#.exeFile read: C:\Users\user\Desktop\DHL #109#.exeJump to behavior
            Source: DHL #109#.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\DHL #109#.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\DHL #109#.exe C:\Users\user\Desktop\DHL #109#.exe
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp6F29.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess created: C:\Users\user\Desktop\DHL #109#.exe {path}
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess created: C:\Users\user\AppData\Local\Temp\Zip.exe "C:\Users\user\AppData\Local\Temp\Zip.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_230310.exe "C:\Users\user\AppData\Local\Temp\update_230310.exe" / start
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_230310.exe "C:\Users\user\AppData\Local\Temp\update_230310.exe" / start
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_230310.exe "C:\Users\user\AppData\Local\Temp\update_230310.exe" / start
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_230310.exe "C:\Users\user\AppData\Local\Temp\update_230310.exe" / start
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 1432
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 1428
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp85AA.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess created: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe {path}
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp6F29.tmpJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess created: C:\Users\user\Desktop\DHL #109#.exe {path}Jump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess created: C:\Users\user\AppData\Local\Temp\Zip.exe "C:\Users\user\AppData\Local\Temp\Zip.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp85AA.tmpJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess created: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe {path}Jump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
            Source: C:\Users\user\Desktop\DHL #109#.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
            Source: C:\Users\user\Desktop\DHL #109#.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
            Source: C:\Users\user\Desktop\DHL #109#.exeFile created: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeFile created: C:\Users\user\AppData\Local\Temp\tmp6F29.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/24@8/2
            Source: C:\Users\user\Desktop\DHL #109#.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: DHL #109#.exe, 00000003.00000002.601389886.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.000000000427A000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.000000000303D000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.0000000003049000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004697000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: DHL #109#.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\DHL #109#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5296
            Source: C:\Users\user\Desktop\DHL #109#.exeMutant created: \Sessions\1\BaseNamedObjects\update_windows10
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6088
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3016:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeMutant created: \Sessions\1\BaseNamedObjects\OjFUNPBNAAii
            Source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
            Source: C:\Users\user\Desktop\DHL #109#.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\Desktop\DHL #109#.exeAutomated click: Continue
            Source: C:\Users\user\Desktop\DHL #109#.exeAutomated click: Continue
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\DHL #109#.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: DHL #109#.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: DHL #109#.exeStatic file information: File size 1190400 > 1048576
            Source: DHL #109#.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: DHL #109#.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x107c00
            Source: DHL #109#.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: DHL #109#.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: System.Core.ni.pdbRSDSD source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: (Pon0C:\Windows\EOFmqeF.pdbpdbqeF.pdb6 source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb03fTp source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Accessibility.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Windows.Forms.pdbMZ@ source: WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Xml.pdb\ source: WER8AB0.tmp.dmp.21.dr
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\update_230310.PDB source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\update_230310.PDBo source: update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: (PonPC:\Windows\System.Runtime.Remoting.pdb source: SDGUedyFqQlpw.exe, 00000004.00000002.589351882.0000000008E0C000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\update_230310.PDB source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: symbols\exe\EOFmqeF.pdbE source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.pdbMZ source: WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Runtime.Remoting.pdbMZ@ source: WERAC41.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \gom_v_4.0\update_windows10\update_windows10\obj\Debug\update_windows10.pdb source: DHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000002.363079133.0000000002881000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.590897146.0000000000484000.00000040.00000400.00020000.00000000.sdmp
            Source: Binary string: System.Core.ni.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: Microsoft.VisualBasic.pdbSystem.Runtime.Remoting.dllSystem.Runtime.Remoting.dll source: WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Windows.Forms.pdb`B source: WER8AB0.tmp.dmp.21.dr
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\EOFmqeF.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: znC:\Users\user\AppData\Local\Temp\EOFmqeF.pdbosoft.VisualBasic\v4.0_10.0.0.0__b03f5fF6 source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: 11d50a3a\Microsoft.VisualBasic.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \gom_v_4.0\Zip\Zip\obj\Debug\Zip.pdb source: DHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.590990822.000000000046A000.00000040.00000400.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000000.406009010.0000014B55368000.00000002.00000001.01000000.0000000A.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.000000000309F000.00000004.00000800.00020000.00000000.sdmp, Zip.exe.3.dr
            Source: Binary string: EOFmqeF.pdbOFmqeF.pdbpdbqeF.pdbEOFmqeF.pdb5563209-4053062332-1002 source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp, update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\EOFmqeF.pdb source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp, update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\EOFmqeF.pdbhq source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\exe\EOFmqeF.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: .pdby source: SDGUedyFqQlpw.exe, 00000004.00000002.589351882.0000000008E0C000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: (Pon0C:\Windows\EOFmqeF.pdbpdbqeF.pdb source: update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: .pdb0 source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp, update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: EOFmqeF.pdb source: DHL #109#.exe, WER8AB0.tmp.dmp.21.dr, SDGUedyFqQlpw.exe.0.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: C:\Windows\EOFmqeF.pdbpdbqeF.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb`B source: WER8AB0.tmp.dmp.21.dr
            Source: Binary string: znC:\Users\user\AppData\Local\Temp\EOFmqeF.pdbosoft.VisualBasic\v4.0_10.0.0.0__b03f5fF source: update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\EOFmqeF.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\EOFmqeF.pdb6 source: update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Configuration.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\System.pdb source: SDGUedyFqQlpw.exe, 00000004.00000003.486034018.0000000008FFA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: symbols\dll\System.Runtime.Remoting.pdb source: SDGUedyFqQlpw.exe, 00000004.00000002.589351882.0000000008E0C000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: Accessibility.pdb4: source: WER8AB0.tmp.dmp.21.dr
            Source: Binary string: System.Xml.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: o.pdb source: update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: DHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004201000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.590897146.0000000000461000.00000040.00000400.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000045BE000.00000004.00000800.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll0.3.dr
            Source: Binary string: C:\Users\user\AppData\Local\Temp\EOFmqeF.pdb66 source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: EOFmqeF.pdbSHA256t source: DHL #109#.exe, WER8AB0.tmp.dmp.21.dr, SDGUedyFqQlpw.exe.0.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Xml.pdbH source: WERAC41.tmp.dmp.23.dr
            Source: Binary string: mscorlib.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.pdb8) source: WER8AB0.tmp.dmp.21.dr
            Source: Binary string: System.Drawing.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Core.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: System.Core.pdbMZ source: WER8AB0.tmp.dmp.21.dr
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: osymbols\exe\EOFmqeF.pdbE source: update_230310.exe, 00000014.00000002.466841635.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\exe\EOFmqeF.pdb= source: update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: Binary string: .pdb@ source: update_230310.exe, 0000000B.00000002.453692819.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER8AB0.tmp.dmp.21.dr, WERAC41.tmp.dmp.23.dr
            Source: C:\Users\user\Desktop\DHL #109#.exeCode function: 3_2_02A3E672 push eax; ret 3_2_02A3E679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.513961549932198
            Source: initial sampleStatic PE information: section name: .text entropy: 7.513961549932198
            Source: C:\Users\user\Desktop\DHL #109#.exeFile created: C:\Users\user\Desktop\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\Desktop\DHL #109#.exeFile created: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeJump to dropped file
            Source: C:\Users\user\Desktop\DHL #109#.exeFile created: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\Desktop\DHL #109#.exeFile created: C:\Users\user\AppData\Local\Temp\Zip.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp6F29.tmp
            Source: C:\Users\user\Desktop\DHL #109#.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender UpdaterJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender UpdaterJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool users
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (31).png
            Moves itself to temp directory
            Source: c:\users\user\desktop\dhl #109#.exeFile moved: C:\Users\user\AppData\Local\Temp\update_230310.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: DHL #109#.exe PID: 3076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SDGUedyFqQlpw.exe PID: 3396, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: DHL #109#.exe, 00000000.00000002.363079133.0000000002881000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: DHL #109#.exe, 00000000.00000002.363079133.0000000002881000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\DHL #109#.exe TID: 4788Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exe TID: 1272Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exe TID: 4360Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe TID: 5912Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe TID: 5816Thread sleep count: 324 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe TID: 4852Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exe TID: 3996Thread sleep time: -5534023222112862s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\Zip.exe TID: 3996Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exe TID: 4644Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exe TID: 5508Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe TID: 5100Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe TID: 5100Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe TID: 4692Thread sleep count: 9660 > 30
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\DHL #109#.exeDropped PE file which has not been started: C:\Users\user\Desktop\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\Desktop\DHL #109#.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\Desktop\DHL #109#.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\DHL #109#.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
            Source: C:\Users\user\Desktop\DHL #109#.exeWindow / User API: threadDelayed 9615Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeWindow / User API: threadDelayed 9682
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeWindow / User API: threadDelayed 9660
            Source: C:\Users\user\Desktop\DHL #109#.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
            Source: C:\Users\user\Desktop\DHL #109#.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
            Source: C:\Users\user\Desktop\DHL #109#.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeThread delayed: delay time: 922337203685477
            Source: Amcache.hve.21.drBinary or memory string: VMware
            Source: Amcache.hve.21.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
            Source: Amcache.hve.21.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.21.drBinary or memory string: VMware, Inc.
            Source: SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Amcache.hve.21.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
            Source: SDGUedyFqQlpw.exe, 0000001A.00000002.598530994.00000000013D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
            Source: SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: Amcache.hve.21.drBinary or memory string: VMware, Inc.me
            Source: SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: DHL #109#.exe, 00000000.00000002.362584894.0000000000E08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q
            Source: SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: DHL #109#.exe, 00000000.00000002.361918826.0000000000D5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{[
            Source: DHL #109#.exe, 00000000.00000002.361918826.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.526108699.000000000164F000.00000004.00000020.00020000.00000000.sdmp, update_230310.exe, 0000000B.00000002.455230591.00000000013AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: Amcache.hve.21.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
            Source: Amcache.hve.21.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1g
            Source: Amcache.hve.21.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
            Source: SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
            Source: SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: Amcache.hve.21.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.21.drBinary or memory string: VMware7,1
            Source: Amcache.hve.21.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.21.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.21.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.21.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.21.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
            Source: Amcache.hve.21.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
            Source: Zip.exe, 00000005.00000002.492612721.0000014B5552C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\DHL #109#.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\DHL #109#.exeMemory written: C:\Users\user\Desktop\DHL #109#.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeMemory written: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp6F29.tmpJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess created: C:\Users\user\Desktop\DHL #109#.exe {path}Jump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeProcess created: C:\Users\user\AppData\Local\Temp\Zip.exe "C:\Users\user\AppData\Local\Temp\Zip.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp85AA.tmpJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeProcess created: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe {path}Jump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Users\user\Desktop\DHL #109#.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Users\user\Desktop\DHL #109#.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Zip.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeQueries volume information: C:\Users\user\AppData\Local\Temp\update_230310.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeQueries volume information: C:\Users\user\AppData\Local\Temp\update_230310.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\update_230310.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL #109#.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\Users\user\Desktop\DHL #109#.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
            Source: Amcache.hve.21.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.21.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: SDGUedyFqQlpw.exe, 0000001A.00000002.598530994.00000000013D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected Predator
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a8ba10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558810.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a27b28.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3dbac13.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3c97ff0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a27b28.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a2812b.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3be9bd0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558810.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.44aa3f0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558e13.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL #109#.exe PID: 3076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL #109#.exe PID: 4016, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SDGUedyFqQlpw.exe PID: 3396, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SDGUedyFqQlpw.exe PID: 1576, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\DHL #109#.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\DHL #109#.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a8ba10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558810.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a27b28.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3dbac13.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3c97ff0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a27b28.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a2812b.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3be9bd0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558810.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.44aa3f0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558e13.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.601389886.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL #109#.exe PID: 3076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL #109#.exe PID: 4016, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SDGUedyFqQlpw.exe PID: 3396, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SDGUedyFqQlpw.exe PID: 1576, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Predator
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a8ba10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558810.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a27b28.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3dbac13.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3c97ff0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a27b28.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3a2812b.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL #109#.exe.3be9bd0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558810.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.44aa3f0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SDGUedyFqQlpw.exe.4558e13.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL #109#.exe PID: 3076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL #109#.exe PID: 4016, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SDGUedyFqQlpw.exe PID: 3396, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SDGUedyFqQlpw.exe PID: 1576, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts21
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		111
            Process Injection            		2
            Obfuscated Files or Information            		1
            Input Capture            		23
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		Exfiltration Over Bluetooth1
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		2
            Software Packing            		Security Account Manager241
            Security Software Discovery            		SMB/Windows Admin Shares1
            Input Capture            		Automated Exfiltration2
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)1
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		NTDS11
            Process Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer2
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script21
            Masquerading            		LSA Secrets41
            Virtualization/Sandbox Evasion            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common41
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items111
            Process Injection            		DCSync1
            Remote System Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
            System Network Configuration Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 798306 Sample: DHL #109#.exe Startdate: 03/02/2023 Architecture: WINDOWS Score: 100 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->63 65 10 other signatures 2->65 7 DHL #109#.exe 6 2->7         started        11 SDGUedyFqQlpw.exe 5 2->11         started        13 update_230310.exe 2->13         started        16 3 other processes 2->16 process3 dnsIp4 47 C:\Users\user\AppData\...\SDGUedyFqQlpw.exe, PE32 7->47 dropped 49 C:\Users\user\AppData\Local\...\tmp6F29.tmp, XML 7->49 dropped 51 C:\Users\user\AppData\...\DHL #109#.exe.log, ASCII 7->51 dropped 79 Injects a PE file into a foreign processes 7->79 18 DHL #109#.exe 16 19 7->18         started        23 schtasks.exe 1 7->23         started        81 Multi AV Scanner detection for dropped file 11->81 83 May check the online IP address of the machine 11->83 85 Machine Learning detection for dropped file 11->85 25 SDGUedyFqQlpw.exe 11->25         started        27 schtasks.exe 11->27         started        57 127.0.0.1 unknown unknown 13->57 29 WerFault.exe 13->29         started        31 WerFault.exe 16->31         started        file5 signatures6 process7 dnsIp8 55 ip-api.com 208.95.112.1, 49698, 49700, 49701 TUT-ASUS United States 18->55 41 C:\Users\user\AppData\Local\Temp\Zip.exe, PE32 18->41 dropped 43 C:\Users\user\Desktop43ewtonsoft.Json.dll, PE32 18->43 dropped 45 C:\Users\user\AppData\...45ewtonsoft.Json.dll, PE32 18->45 dropped 75 Moves itself to temp directory 18->75 77 Tries to harvest and steal browser information (history, passwords, etc) 18->77 33 Zip.exe 14 4 18->33         started        37 conhost.exe 23->37         started        39 conhost.exe 27->39         started        file9 signatures10 process11 dnsIp12 53 ip-api.com 33->53 67 Antivirus detection for dropped file 33->67 69 Multi AV Scanner detection for dropped file 33->69 71 May check the online IP address of the machine 33->71 73 Machine Learning detection for dropped file 33->73 signatures13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DHL #109#.exe21%ReversingLabsWin32.Trojan.Pwsx
            DHL #109#.exe37%VirustotalBrowse
            DHL #109#.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\Zip.exe100%AviraTR/Redcap.vxffz
            C:\Users\user\AppData\Local\Temp\Zip.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\Zip.exe76%ReversingLabsByteCode-MSIL.Trojan.Oskistelaer
            C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe21%ReversingLabsWin32.Trojan.Pwsx
            C:\Users\user\Desktop\Newtonsoft.Json.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.zhongyicts.com.cnue0%URL Reputationsafe
            http://www.founder.com.cn/cnP0%URL Reputationsafe
            http://www.founder.com.cn/cnP0%URL Reputationsafe
            http://www.sajatypeworks.com20%URL Reputationsafe
            http://www.sajatypeworks.com20%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://ns.adobe.c/g0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.carterandcone.comC0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://ip-api.com4Dp80%Avira URL Cloudsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sajatypeworks.coml0%URL Reputationsafe
            http://ns.adobe.cobj0%URL Reputationsafe
            http://www.carterandcone.comTC0%URL Reputationsafe
            http://bblaccessories.com/webpanel100%Avira URL Cloudmalware
            http://en.wikip0%URL Reputationsafe
            http://ip-api.comx0%URL Reputationsafe
            http://james.newtonking.com/projects/json0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://ns.ado/10%URL Reputationsafe
            http://www.sajatypeworks.comrow0%Avira URL Cloudsafe
            http://ns.adobe.c/gk0%Avira URL Cloudsafe
            http://ip-api.com80%Avira URL Cloudsafe
            http://ns.adobe.cobjk0%Avira URL Cloudsafe
            https://gomorrah.pw0%Avira URL Cloudsafe
            http://ip-api.comD8Dp40%Avira URL Cloudsafe
            http://teamwiki.de/twiki/vb_tool.php)MSXML2.ServerXMLHTTP0%Avira URL Cloudsafe
            http://www.founder.com.cn/cnht/0%Avira URL Cloudsafe
            http://www.sandoll.co.kru0%Avira URL Cloudsafe
            http://foo.com/foo0%Avira URL Cloudsafe
            https://max-weller.de0%Avira URL Cloudsafe
            http://ns.ado/1k0%Avira URL Cloudsafe
            http://www.fonts.com;0%Avira URL Cloudsafe
            http://ip-api.com4Dp0%Avira URL Cloudsafe
            http://www.fontbureau.commita90%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ip-api.com
            		208.95.112.1
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://ip-api.com/json/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.zhongyicts.com.cnueDHL #109#.exe, 00000000.00000003.321783957.0000000005A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://duckduckgo.com/chrome_newtabDHL #109#.exe, 00000003.00000002.615393541.0000000004375000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.000000000434D000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042C3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004392000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004308000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000047AF000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004725000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004792000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cnPDHL #109#.exe, 00000000.00000003.320597559.0000000005A11000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.com2DHL #109#.exe, 00000000.00000003.317779300.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.317934427.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316786310.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316605273.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.317654836.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316945169.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316854752.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.317881321.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316636779.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316561265.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316977271.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.317065111.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.317237807.0000000005A3E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comrowDHL #109#.exe, 00000000.00000003.316484548.0000000000FBB000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers?DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://search.yahoo.com?fr=crmas_sfpfDHL #109#.exe, 00000003.00000002.615393541.0000000004375000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.000000000434D000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042C3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004392000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004308000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000047AF000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004725000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004792000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.tiro.comDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ns.adobe.c/gSDGUedyFqQlpw.exe, 0000001A.00000002.645437394.000000000798A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.goodfont.co.krDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comDHL #109#.exe, 00000000.00000003.323381300.0000000005A04000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.322676068.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.323305799.0000000005A02000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://ip-api.com8Zip.exe, 00000005.00000002.494978051.0000014B571AA000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://ip-api.com4Dp8DHL #109#.exe, 00000003.00000002.601389886.0000000002BB3000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comDHL #109#.exe, 00000000.00000003.317237807.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.316497484.0000000005A3E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cTheDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comDHL #109#.exe, 00000000.00000003.318460569.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.318382526.0000000005A3E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://bblaccessories.com/webpanelSDGUedyFqQlpw.exe, 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://ns.adobe.c/gkDHL #109#.exe, 00000003.00000002.647285236.000000000788C000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.438266278.000000000788F000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.400369407.000000000787B000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.437944666.0000000007891000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.carterandcone.comCDHL #109#.exe, 00000000.00000003.323381300.0000000005A04000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.322676068.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.323305799.0000000005A02000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://ip-api.comDHL #109#.exe, 00000003.00000002.601389886.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B5718F000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B571AA000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B571D2000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B571DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/DPleaseDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://ns.adobe.cobjkDHL #109#.exe, 00000003.00000002.647285236.000000000788C000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.438266278.000000000788F000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.400369407.000000000787B000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.437944666.0000000007891000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fonts.comDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://teamwiki.de/twiki/vb_tool.php)MSXML2.ServerXMLHTTPDHL #109#.exe, SDGUedyFqQlpw.exe.0.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL #109#.exe, 00000000.00000002.363079133.0000000002881000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.529662640.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B57111000.00000004.00000800.00020000.00000000.sdmp, update_230310.exe, 0000000B.00000002.458348039.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, update_230310.exe, 00000014.00000002.478611813.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sakkal.comDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://gomorrah.pwDHL #109#.exe, 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.601389886.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B57209000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.590897146.000000000047F000.00000040.00000400.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.000000000309F000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.603205973.0000000003086000.00000004.00000800.00020000.00000000.sdmp, info.txt.3.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ip-api.comD8Dp4DHL #109#.exe, 00000003.00000002.601389886.0000000002FFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sajatypeworks.comlDHL #109#.exe, 00000000.00000003.316484548.0000000000FBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.321783957.0000000005A09000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.comDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnht/DHL #109#.exe, 00000000.00000003.320634552.0000000005A03000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoDHL #109#.exe, 00000003.00000002.615393541.0000000004375000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.000000000434D000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042C3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004392000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004308000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000047AF000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004725000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004792000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.kruDHL #109#.exe, 00000000.00000003.320522721.0000000005A04000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.320634552.0000000005A03000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://ns.adobe.cobjSDGUedyFqQlpw.exe, 0000001A.00000002.645437394.000000000798A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comTCDHL #109#.exe, 00000000.00000003.323381300.0000000005A04000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.322676068.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.323305799.0000000005A02000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://upx.sf.netAmcache.hve.21.drfalse
                                              		high
                                              https://max-weller.deDHL #109#.exe, SDGUedyFqQlpw.exe.0.drfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchDHL #109#.exe, 00000003.00000002.615393541.0000000004375000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.000000000434D000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042C3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004392000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004308000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000047AF000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004725000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004792000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://en.wikipDHL #109#.exe, 00000000.00000003.317732879.0000000005A02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=DHL #109#.exe, 00000003.00000002.615393541.0000000004375000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.000000000434D000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042C3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004392000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004308000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000047AF000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004725000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004792000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ip-api.comxZip.exe, 00000005.00000002.494978051.0000014B5718F000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 00000005.00000002.494978051.0000014B571DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://james.newtonking.com/projects/jsonNewtonsoft.Json.dll0.3.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comlDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://foo.com/fooupdate_230310.exe, 0000000B.00000002.458348039.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, update_230310.exe, 00000014.00000002.478611813.00000000026D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://ac.ecosia.org/autocomplete?q=SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://search.yahoo.com?fr=crmas_sfpDHL #109#.exe, 00000003.00000002.615393541.000000000434D000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.00000000042C3000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004392000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000002.615393541.0000000004308000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000047AF000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004725000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/cabarga.htmlNDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cnDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, DHL #109#.exe, 00000000.00000003.320597559.0000000005A11000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/frere-jones.htmlDHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8DHL #109#.exe, 00000000.00000002.394100205.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://ns.ado/1kDHL #109#.exe, 00000003.00000002.647285236.000000000788C000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.438266278.000000000788F000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.400369407.000000000787B000.00000004.00000020.00020000.00000000.sdmp, DHL #109#.exe, 00000003.00000003.437944666.0000000007891000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://ip-api.com4DpSDGUedyFqQlpw.exe, 0000001A.00000002.603205973.0000000002FD3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.000000000476A000.00000004.00000800.00020000.00000000.sdmp, SDGUedyFqQlpw.exe, 0000001A.00000002.617237833.0000000004708000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.fonts.com;DHL #109#.exe, 00000000.00000003.318014020.0000000000FBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://ns.ado/1SDGUedyFqQlpw.exe, 0000001A.00000002.645437394.000000000798A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.commita9DHL #109#.exe, 00000000.00000002.362907181.0000000000FB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              208.95.112.1
                                                              		ip-api.comUnited States
                                                              		53334TUT-ASUSfalse

                                                              Private

                                                              IP
                                                              127.0.0.1

                                                              General Information

                                                              Joe Sandbox Version:36.0.0 Rainbow Opal
                                                              Analysis ID:798306
                                                              Start date and time:2023-02-03 22:38:29 +01:00
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 13m 12s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:27
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:1
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample file name:DHL #109#.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@20/24@8/2
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HDC Information:Failed
                                                              HCA Information:
                                                              • Successful, ratio: 99%
                                                              • Number of executed functions: 60
                                                              • Number of non-executed functions: 2
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 20.189.173.20, 104.208.16.94
                                                              • Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtSetInformationFile calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              22:39:44API Interceptor503x Sleep call for process: DHL #109#.exe modified
                                                              22:39:53Task SchedulerRun new task: SDGUedyFqQlpw path: C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe
                                                              22:40:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender Updater C:\Users\user\AppData\Local\Temp\update_230310.exe / start
                                                              22:40:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender Updater C:\Users\user\AppData\Local\Temp\update_230310.exe / start
                                                              22:40:21API Interceptor92x Sleep call for process: Zip.exe modified
                                                              22:40:36API Interceptor2x Sleep call for process: WerFault.exe modified
                                                              22:40:54API Interceptor119x Sleep call for process: SDGUedyFqQlpw.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              208.95.112.1RePhjnSrvXGet hashmaliciousBrowse
                                                              • www.ip-api.com/json
                                                              receipt.htmlGet hashmaliciousBrowse
                                                              • ip-api.com/json
                                                              B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exeGet hashmaliciousBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              g8w7YHHUDJGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              Spe00002.jsGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              Odeme.exeGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              newsoftware-tester.exeGet hashmaliciousBrowse
                                                              • ip-api.com/json
                                                              uA17g37mtt.exeGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              Odeme.exeGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              VoiceNote.htmGet hashmaliciousBrowse
                                                              • ip-api.com/json
                                                              file.exeGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              OukBj2y5jY.exeGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              Spec002.jsGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              android.apkGet hashmaliciousBrowse
                                                              • www.ip-api.com/json
                                                              FJsd1qxDgJ.exeGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              LhWQCnZEr8.exeGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              Comprobant.xlsGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              jwlIVLR3d6.exeGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              Odeme.xlsGet hashmaliciousBrowse
                                                              • ip-api.com/json/
                                                              Comprobante.xlsGet hashmaliciousBrowse
                                                              • ip-api.com/json/

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              ip-api.comreceipt.htmlGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              g8w7YHHUDJGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              Executed Contract.jsGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              Spe00002.jsGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              Odeme.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              newsoftware-tester.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              uA17g37mtt.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              Odeme.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              VoiceNote.htmGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              A3F0B643265E9895B3291658516CE2B34EB06D585BD8E.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              file.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              unknowStealer.bin.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              file.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              OukBj2y5jY.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              Spec002.jsGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              FJsd1qxDgJ.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              LhWQCnZEr8.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              Comprobant.xlsGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              jwlIVLR3d6.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              TUT-ASUSsCv8I1z72W.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              RePhjnSrvXGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              receipt.htmlGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              g8w7YHHUDJGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              Executed Contract.jsGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              Spe00002.jsGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              Odeme.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              newsoftware-tester.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              uA17g37mtt.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              oZBBHsLv19.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              Odeme.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              VoiceNote.htmGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              file.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              A3F0B643265E9895B3291658516CE2B34EB06D585BD8E.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              file.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              file.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              Payoff Statement.htmlGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              unknowStealer.bin.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1
                                                              file.exeGet hashmaliciousBrowse
                                                              • 208.95.112.1

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll5VXh2VBmA0.exeGet hashmaliciousBrowse
                                                                nwY3YpWQVx.exeGet hashmaliciousBrowse
                                                                  5SUx8Md4kq.exeGet hashmaliciousBrowse
                                                                    file.exeGet hashmaliciousBrowse
                                                                      file.exeGet hashmaliciousBrowse
                                                                        file.exeGet hashmaliciousBrowse
                                                                          NicDx0BvqP.exeGet hashmaliciousBrowse
                                                                            ngyoL1siem.exeGet hashmaliciousBrowse
                                                                              SecuriteInfo.com.Exploit.ShellCode.69.5295.22971.rtfGet hashmaliciousBrowse
                                                                                AvtoKomander_Installer.msiGet hashmaliciousBrowse
                                                                                  VFMPwzPWjM.exeGet hashmaliciousBrowse
                                                                                    CpLGtq4jBl.exeGet hashmaliciousBrowse
                                                                                      CpLGtq4jBl.exeGet hashmaliciousBrowse
                                                                                        5Qg0FFYoQd.exeGet hashmaliciousBrowse
                                                                                          IBK_Minervasoft.exeGet hashmaliciousBrowse
                                                                                            PO BNB Trends.exeGet hashmaliciousBrowse
                                                                                              Bm6U0Vj6pa.exeGet hashmaliciousBrowse
                                                                                                NEW REQUIREMENT..xlsxGet hashmaliciousBrowse
                                                                                                  kKEMJQNDL.exeGet hashmaliciousBrowse
                                                                                                    doc2022020909100101019.exeGet hashmaliciousBrowse

                                                                                                      Created / dropped Files

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_update_230310.ex_2b79ce248a0695308731c52393aacd67e8ae79_c8dd24a1_118fa089\Report.wer

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):1.18353028152947
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:C3+JWbJ6HBUZMXSa6nzCGgiF/u7sGS274ItU:U+obsBUZMXSaM+w/u7sGX4ItU
                                                                                                      MD5:1F3E75B88B5D5008732C40C453A08200
                                                                                                      SHA1:3EA843D71FC0D0881D0AAF0C149A4C9CFBA648EA
                                                                                                      SHA-256:3503E67B6BB4818E49B1839F7BD5FEAD9794DC9345F78ED9D198590864AFF411
                                                                                                      SHA-512:09EBEBED4649C053A2A5E5D26538B9C33FE6860CF08572FDDE87D974F171E036C7245B3A10909A71A7176E27946D02BB49529F9133531235E2EC2164BC6B40D1
                                                                                                      Malicious:false
                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.9.9.6.6.4.3.0.8.0.8.4.0.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.9.9.6.6.4.3.3.7.1.4.6.5.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.a.b.8.0.5.f.-.2.7.9.f.-.4.8.c.a.-.8.9.0.e.-.c.1.6.8.d.a.4.b.a.4.7.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.e.c.4.5.a.4.-.a.9.7.1.-.4.b.7.0.-.9.6.c.4.-.c.1.1.e.1.0.2.6.d.f.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.p.d.a.t.e._.2.3.0.3.1.0...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.O.F.m.q.e.F...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.c.8.-.0.0.0.1.-.0.0.1.9.-.5.9.e.3.-.e.4.8.a.6.3.3.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.2.7.0.c.b.c.8.0.9.d.c.e.0.d.6.5.6.a.d.5.d.8.b.8.1.f.2.d.5.1.5.0.0.0.0.0.0.0.0.!.0.0.0.0.5.7.8.4.7.e.1.4.c.4.e.9.b.3.d.1.1.d.0.3.b.e.c.9.6.9.b.1.c.7.9.c.3.4.

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_update_230310.ex_2b79ce248a0695308731c52393aacd67e8ae79_c8dd24a1_1663b8b5\Report.wer

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):1.183594634047425
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:4lCkrJ6HBUZMXSa6nzCGgiF/u7sGS274ItU:gCkrsBUZMXSaM+w/u7sGX4ItU
                                                                                                      MD5:188685220A48F811753BE5136C3FF079
                                                                                                      SHA1:3524EC2572B3C0188DFE9122F96B6269E5070B12
                                                                                                      SHA-256:B7A2365FD4A2ED367580CBBB33563B53F23B54326E251AA78C721E6C597F7E90
                                                                                                      SHA-512:C1D62DA5EAB1A9C58A2075A6810B0371C4F0476534039AB4F64891D7F117C5F7C705E004C9DBB3B083DECD5451CCD45A0701B7FF001CF68A29DC11C572B73CB7
                                                                                                      Malicious:false
                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.9.9.6.6.4.3.9.4.0.3.2.8.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.9.9.6.6.4.4.1.6.5.3.2.8.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.1.c.7.8.3.a.-.5.0.4.2.-.4.2.4.6.-.9.4.e.7.-.2.a.f.b.4.9.3.f.9.a.5.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.5.d.1.1.3.1.-.5.6.e.0.-.4.c.d.8.-.9.2.b.6.-.3.8.d.d.d.3.2.8.0.e.2.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.p.d.a.t.e._.2.3.0.3.1.0...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.O.F.m.q.e.F...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.b.0.-.0.0.0.1.-.0.0.1.9.-.0.9.2.7.-.5.6.9.2.6.3.3.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.2.7.0.c.b.c.8.0.9.d.c.e.0.d.6.5.6.a.d.5.d.8.b.8.1.f.2.d.5.1.5.0.0.0.0.0.0.0.0.!.0.0.0.0.5.7.8.4.7.e.1.4.c.4.e.9.b.3.d.1.1.d.0.3.b.e.c.9.6.9.b.1.c.7.9.c.3.4.

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AB0.tmp.dmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Mini DuMP crash report, 14 streams, Sat Feb 4 06:40:32 2023, 0x1205a4 type
                                                                                                      Category:dropped
                                                                                                      Size (bytes):292439
                                                                                                      Entropy (8bit):3.9827295135657454
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:XNCbSiJa0Q+Djd+pAXz0tpUCgUdo/9gIOgF5gklTZaLwL1DEeATX:Xk7I0R8peITjdq9RpDHlT0
                                                                                                      MD5:42750981A58B2355EFF00820C7F52D02
                                                                                                      SHA1:F50B48EDA950E5E799ADF0B1407516BF4768337E
                                                                                                      SHA-256:C6DC01746FC4CB2C220A20E6822A3E778AD98DD725C6874C854907E21C422553
                                                                                                      SHA-512:D9A1465C5E29739327EF10E7F9D95A8DD0CE45EBAB66E402159E870F5D32721036912C3A03789F788E861A64306608B1C2A363C1156D4D1B2565D72205646A70
                                                                                                      Malicious:false
                                                                                                      Preview:MDMP....... ..........c............D...............L.......4...|V..........T.......8...........T............9..w<..........D'..........0)...................................................................U...........B.......)......GenuineIntelW...........T..............c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER91F4.tmp.WERInternalMetadata.xml

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8444
                                                                                                      Entropy (8bit):3.698969968755615
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Rrl7r3GLNiaw6P6YBS85SUD8gmfZv/ScCprn89bUUsfHcm:RrlsNi16P6YBh5SUYgmfh/ScUHfJ
                                                                                                      MD5:42CE7C4EFF8D7CB3C065567DAA2424DB
                                                                                                      SHA1:A34A1BBDBA064117F9541ED7C04997FF3AEBB91F
                                                                                                      SHA-256:6D0497A85160ED5752F4BD213602EC24B73AC23F81F884397308F319C2BE64FB
                                                                                                      SHA-512:B2039427F23430EF87922307184313977B4B2D53ACA9D527E122537CE543135FA9D012852FEEAFF5402A30D2AA3DC4B84A50AD6A8E3E099587329E2ADDB46C15
                                                                                                      Malicious:false
                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.8.8.<./.P.i.d.>.......

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER9282.tmp.xml

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4797
                                                                                                      Entropy (8bit):4.5202085953390485
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvIwSD8zstJgtWI9txWgc8sqYj+a8fm8M4J7N9NF/m+q8vWN9+60Zoz43d:uITfHeggrsqY6vJ7nnmKWn+6keYd
                                                                                                      MD5:6C2C84194B25D3F8D5EDF38485F78033
                                                                                                      SHA1:5B3B658E898DEE8E4A8482FA97BA4D240E138410
                                                                                                      SHA-256:B4653F69C94482E6B90B9FE905A61502E29380FC3E04A6CE41CC5D03AFC9548B
                                                                                                      SHA-512:D4AFF393212DB87728E1598C99CA2C8EBF5CAF68901A34EEC93A22134944D5BE73BDF00A8F3C69A895A227C9D93224190B376492723A572E23CE25F38AB3752E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1897431" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC41.tmp.dmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Mini DuMP crash report, 14 streams, Sat Feb 4 06:40:40 2023, 0x1205a4 type
                                                                                                      Category:dropped
                                                                                                      Size (bytes):268491
                                                                                                      Entropy (8bit):4.130660801750376
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:z036jkJbf0M3RSjd+pFH9E0wYUCgUJVoz9gIOgF5XLTZaLvIwlcg9sDovo:z0Kjq0GBpFmiTjJVS9RpD7T0Ug9M
                                                                                                      MD5:CB2C44A20EF4FF02688B2864B9CB9D12
                                                                                                      SHA1:BF1999DB9F8CA467AEB26665AE78EA6D2D4734D8
                                                                                                      SHA-256:D2F8B27804513EE363845AFCA2F13E9D99B9A6203B3CC666E9C9014F90CC8DA4
                                                                                                      SHA-512:3FDEFEAA7421B2F6241684126383CFB1233F5C41DAB31D4C75E3BE0FE6B1249BE904EA0097B995595775AFAB38489A59F7433B481F63F94D87516F06DCFA21F9
                                                                                                      Malicious:false
                                                                                                      Preview:MDMP....... ..........c....................................t....M..........T.......8...........T...........(8...............&...........(...................................................................U...........B......8)......GenuineIntelW...........T..............c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB115.tmp.WERInternalMetadata.xml

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8442
                                                                                                      Entropy (8bit):3.6987901348327203
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Rrl7r3GLNikC6f6YBSzSUcg3gmfZv/ScCprD89bRxsfL7m:RrlsNi56f6YBWSUDgmfh/SQRqfW
                                                                                                      MD5:77C7BFD43FC73D82E709ABCFF8FED8F6
                                                                                                      SHA1:37932C050BAB36CE323A8EE851A0E4E04E9518F7
                                                                                                      SHA-256:A18B8B65A1637BF215F59301EFB9426E69C5D4C4A721A84F01F37CC7EEDDA7E5
                                                                                                      SHA-512:E1BBEA3CEFCE002BEE3CD63D3BEB544047C4D9EFEF00709DEF3069883F5E5E85D269DF9B2A31C55ACD3CCBF0344539B0CA041B9262A506E86EF77B3A9FC1C3DD
                                                                                                      Malicious:false
                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.9.6.<./.P.i.d.>.......

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1B2.tmp.xml

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4797
                                                                                                      Entropy (8bit):4.5207055282802555
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvIwSD8zstJgtWI9txWgc8sqYjF8fm8M4J7N9NFxg+q8vWN9cO0ZozV3d:uITfHeggrsqYmJ7nCKWnTkeRd
                                                                                                      MD5:CB10FD2C3C16D7E9D05FC3C0FD61B84F
                                                                                                      SHA1:3D57BB6D0875433C20E2AB659F5DFCAFBD5961E4
                                                                                                      SHA-256:08F95AD6D690AC29E8AE207D307F2569A9D7C08161F05954ED12916EA6956D79
                                                                                                      SHA-512:EA983CBA9E83C45C22D31AF318EB1137981506F563C6745FD9C19CD2FA8B445E037FB4D40C256BB3BC65FCCD3240667E703EE3A02AB8A20412F153A6E948A56F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1897431" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Zip.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\Zip.exe
                                                                                                      File Type:CSV text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2343
                                                                                                      Entropy (8bit):5.374204171243879
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoAPHZHpH+5HK+HKs:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qo
                                                                                                      MD5:3F114A073575263E59307B55548FD5F4
                                                                                                      SHA1:971459D541646C4C6B382F06AAFA9F4147716568
                                                                                                      SHA-256:2417EC96E49CF7352D91892438478E961D8DC870FEB8E8821C732383CD9351F2
                                                                                                      SHA-512:EA7B613DF726F230ADFEF841E4C8A753228B3AFAE7F2D2FDC2704892910F18254F2D9B31AA5E7D4C993137BCAE92B0FF77D9D31503E96D605DBF0589E42AD809
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL #109#.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1314
                                                                                                      Entropy (8bit):5.350128552078965
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                                      MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                                      SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                                      SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                                      SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                                      Malicious:true
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SDGUedyFqQlpw.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1314
                                                                                                      Entropy (8bit):5.350128552078965
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                                      MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                                      SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                                      SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                                      SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                                      C:\Users\user\AppData\Local\Temp\CH_8D0105CC62.zip

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\Zip.exe
                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                      Category:dropped
                                                                                                      Size (bytes):817975
                                                                                                      Entropy (8bit):7.997768463518498
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:24576:qI63AtVt9amCED55Z8yayb484d6FO+rbHGt:qI6Qj+mtnOeb4fd6E+rbGt
                                                                                                      MD5:546E5255876D30DECB6631CFA3DDE59A
                                                                                                      SHA1:E68D00F710FAF7F204D4B87D6959AA82B096338A
                                                                                                      SHA-256:B4709E548E950D539DE83060D75A05A95755B64F5705EDC0684798A8E2004DA6
                                                                                                      SHA-512:94FC4F7F2D2B4894E242D51A90091AA028AF5507C2CF2FC099745FD8CCA829B5DCC4E6DBF94996FE320C450339A0BC0DD94B128DBAE58A5ABEBC330A926E9FB8
                                                                                                      Malicious:false
                                                                                                      Preview:PK..........CV................Cards.txtPK..........CV................Files\PK..........CV...^....L.......info.txt...N.0.EwK..;&.i(m.:..0.D.....p...4._...:..{.zu....K....'VA...G......v....m..q..f'....../.k.pCG......iP.D.s.....w..G..$...cJ^.t..~.b...4...>|KQQ.xD._Ui.,..Z............G...Q.iF..........;.....G..PK..........CV................Passwords.txtPK..........CV.9......=2......ProgramList.txt.[.r.6..g&.=.s.C..o.O...Dc.i....h(B.I.y..r....5......):1YZ.....!.....`w....XEa.t.^.3...../b.....3....'o.I........N.u|R.:I.,.c9AGa&.?..@.S.}"....>:U...f..t."..FOeZ..1..yj....oT.....=+.g.LNT..5.p.K.s-.].....a.c...A^...M.,...<.}....c.`.v....`A.............1.4Mt.:. .z.N.k.v..a...~.Z..d....lB......|>).@......-..!...J[<...g... .....^I.u..cb.g.".....`.aD|M?.D....q....%.....R.....t.T.....=..-2.QnT..V..6...X...|..qE.w..{.*C..ooG..H..=B...q...$ .v.V.....9 .......|.....I}....#......2...C.^..VIVC.....T....M....r.C.j......}pP ...k.z..}./~..J......V...+.....WJ....

                                                                                                      C:\Users\user\AppData\Local\Temp\CH_8D0105CC62\ProgramList.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12861
                                                                                                      Entropy (8bit):5.146432365744317
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:xwI1IzJ0Npt0KY0DpaS0dVSWI8VIu5fKM0Aoc9OGObO0OROZO99OXcgc0cAO7cDk:aq0R0zU/QVWB
                                                                                                      MD5:8EE4E55FCF30BE8A76950F6F520204F6
                                                                                                      SHA1:46F5E3DB3B5E93699735411382E396AA7365BE9D
                                                                                                      SHA-256:970BD559D3828648528EF99AFC845069153123289C9A20E3B6E57EA4BF2CFC6C
                                                                                                      SHA-512:7679C52085223EE619EF85F4249EF2F55B802C6390181104816C6CFCC6F0F421210E6E6D2609324740158726522FF2A5A1B9B16A7ECDDF01A74D528B7638BD8D
                                                                                                      Malicious:false
                                                                                                      Preview:Application Name : Google.Chrome....Version : 104.0.5112.81....Installed Date . 20220816....Application Name: Microsoft Office Professional Plus 2016....Application Name: Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501....Application Name : Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005....Version : 12.0.21005....Installed Date . 20190627....Application Name : Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319....Version : 10.0.30319....Installed Date . 20190627....Application Name : Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702....Version : 14.21.27702....Installed Date . 20190627....Application Name : Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702....Version : 14.21.27702....Installed Date . 20190627....Application Name : Java 8 Update 211....Version : 8.0.2110.12....Installed Date . 20190627....Application Name: Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030....Application Name: Microsoft Visu

                                                                                                      C:\Users\user\AppData\Local\Temp\CH_8D0105CC62\ProsessList.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2341
                                                                                                      Entropy (8bit):4.574990009499718
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:jXRoqqqqq1gMqE69YKtMqqqIuqcqIEj9+uqqqqgpyqIEEuMJqqqqqEh8MVqA8YIJ:p0Obllar//R
                                                                                                      MD5:4B319E2F175D3796C41C9A6E79284839
                                                                                                      SHA1:1489DD7FE599B1EA0737494C57AFAB6A6A48BF40
                                                                                                      SHA-256:3B03FF5394F777A15695209BF06D59F2BB2C8E1149508C41474F256C94E52646
                                                                                                      SHA-512:0AF92B36A099C6BD0B8B658E6CBE86596CA7756BA53EC5216D1F5C801BD3309C110D4BF9151EB3DCEB2B1A8CBD6CFFFB807D3B71482DCED7D28DCEDE3251D429
                                                                                                      Malicious:false
                                                                                                      Preview:Name : dwm....Name : csrss....Name : svchost....Name : svchost....Name : svchost....Name : svchost....Name : svchost....Name : SgrmBroker....Name : svchost....Name : svchost....Name : fontdrvhost....Name : dllhost....Name : MdNhpqxLuQeSsOdIjuQeolS....Name : explorer....Name : svchost....Name : svchost....Name : svchost....Name : svchost....Name : MdNhpqxLuQeSsOdIjuQeolS....Name : svchost....Name : svchost....Name : winlogon....Name : svchost....Name : svchost....Name : MdNhpqxLuQeSsOdIjuQeolS....Name : MdNhpqxLuQeSsOdIjuQeolS....Name : dllhost....Name : MdNhpqxLuQeSsOdIjuQeolS....Name : WMIADAP....Name : MdNhpqxLuQeSsOdIjuQeolS....Name : svchost....Name : svchost....Name : svchost....Name : svchost....Name : svchost....Name : spoolsv....Name : svchost....Name : svchost....Name : MdNhpqxLuQeSsOdIjuQeolS....Name : MdNhpqxLuQeSsOdIjuQeolS....Name : MdNhpqxLuQeSsOdIjuQeolS....Name : svchost....Name : smartscreen....Name : svchost....Name : svchost....Name : svchost....Name : svchost....Nam

                                                                                                      C:\Users\user\AppData\Local\Temp\CH_8D0105CC62\Screenshot.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):831033
                                                                                                      Entropy (8bit):7.948252649493437
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:F6A9sFCo4BIclmyLKdhIg4/nGtDcbfvu8peX0TjI+Z8l1lvB4AZbK3yMNmCp5V4U:w4BNudK1nkcbfXTvZ8lPJdiz+kqT6f
                                                                                                      MD5:5263177D47472A0A1C2040B1FEA1ECD3
                                                                                                      SHA1:D42E84E519B80025F3F40AEA4A12E18F2BCC6A8F
                                                                                                      SHA-256:DDC25F319860878CA034BE23086EE4934128FF82963B9FABEB70B74DBA5D497F
                                                                                                      SHA-512:F769D15190E617EC4E5580FF53092066D0AA3EB52F38A57817687F624DA7A4BF4972BE85AE5ADC6EF0BC8F263B8EEFEDC54E6887E65582665F130609144DA4E7
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...dGu..=.^L.Q9...M6.V.a..&/k...^l......`L...F..,!$..J(....AHBy.Fi4I....P[..=...W.......}...+.:..u..,..yf......f../t.l..5..d.f/.....el...-^..`..^Q.u..W...U![....Q....![....~..?<..x..m.......h.\..m{."l.\..F..g..c..e.)6.r.P....s..Au.df.z....kT...+.lDu..e......+=.M....yfvc.....X..g.....F...~#E..0..; ..<."4.S..l.B.}Ot./..N...Q..*Q..............(.`O...`Y...M......c.W8.=...f....,....D..5M....f.3.w...f.m_..._...u.,|.....4..h....[1.K..b0W".;.9......x.w./`-....m.g.|....?....E..n....l.b.......X..4...@....c.Va....g.6....c..l.j;O...n..2......i[P..(,........./.a.{0&[.8.!..h*..#.... ..,...-~.3...R.eJ..r0.1....T..S....M. ........8..m:...C..).).M...S.p,@.....{bh.P.>5S.0.T..A._.S..7....,..Fp.....P.#...Y.....kx@-l.>.+....@mM..-....}R....Pm.I.U...[.VF~9t..50m.j{..E...a..`.`...|...?...K..(...K...E.6w.4.."l.HP....h....r.#t.p..A..@OT.dT..9..".N~..52.F....c.r..|$..1P|

                                                                                                      C:\Users\user\AppData\Local\Temp\CH_8D0105CC62\info.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):332
                                                                                                      Entropy (8bit):4.579461777700594
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:9lngeX9CF2Rpj1hx0+A7JRXWQuGsLf15Ro1WcEuo8T:fdgIpxXKRXWQzsLN5RJcfV
                                                                                                      MD5:641D8C809588E0857309CBD76FDB74E8
                                                                                                      SHA1:17D4040422B18E3E7A3420F911D608A02D793106
                                                                                                      SHA-256:F58EA23262A16CB3BD55F3BF9C1E8315BA7512AD507AB74DE53272005DD52961
                                                                                                      SHA-512:6CD48E0176DA47E3221D3BC0D43BC05116F95B616A8D18CB6ECFC8986CC9A0830ED9A2652D320C762D43DB0AB447B57FAD515C75BB5654623CCE1DAA8D10F0FD
                                                                                                      Malicious:false
                                                                                                      Preview:PC Name : 585948..Operating System : Microsoft Windows 10 Pro..Anti virus : Windows Defender..Firewall : None..Processor : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..Memory (RAM) : 8.00 GB..-----------------------------------------------------------------------..-------------Developed By th3darkly [ https://gomorrah.pw ]-------------

                                                                                                      C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):407776
                                                                                                      Entropy (8bit):6.080910017085125
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:/+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWk:WPw2PjCLe3a6Q70zbR
                                                                                                      MD5:F75FE8D06448D07720D5456F2A327F08
                                                                                                      SHA1:DBA5D60848A7C24CE837225709D9E23690BB5CB3
                                                                                                      SHA-256:977998AEC486395EABA6CE5661648425A1A181CE18C2C87C6288AF62B87D5ECA
                                                                                                      SHA-512:EB05696F92881A698B7DEF0F8852286212A5EB235A2FF8A41460DEDBC6AE1964BFBEF613D3BEC736DF66525BF6E5A6C95FF5E0A71C904FA70B5C6675E2275A34
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Joe Sandbox View:
                                                                                                      • Filename: 5VXh2VBmA0.exe, Detection: malicious, Browse
                                                                                                      • Filename: nwY3YpWQVx.exe, Detection: malicious, Browse
                                                                                                      • Filename: 5SUx8Md4kq.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                      • Filename: NicDx0BvqP.exe, Detection: malicious, Browse
                                                                                                      • Filename: ngyoL1siem.exe, Detection: malicious, Browse
                                                                                                      • Filename: SecuriteInfo.com.Exploit.ShellCode.69.5295.22971.rtf, Detection: malicious, Browse
                                                                                                      • Filename: AvtoKomander_Installer.msi, Detection: malicious, Browse
                                                                                                      • Filename: VFMPwzPWjM.exe, Detection: malicious, Browse
                                                                                                      • Filename: CpLGtq4jBl.exe, Detection: malicious, Browse
                                                                                                      • Filename: CpLGtq4jBl.exe, Detection: malicious, Browse
                                                                                                      • Filename: 5Qg0FFYoQd.exe, Detection: malicious, Browse
                                                                                                      • Filename: IBK_Minervasoft.exe, Detection: malicious, Browse
                                                                                                      • Filename: PO BNB Trends.exe, Detection: malicious, Browse
                                                                                                      • Filename: Bm6U0Vj6pa.exe, Detection: malicious, Browse
                                                                                                      • Filename: NEW REQUIREMENT..xlsx, Detection: malicious, Browse
                                                                                                      • Filename: kKEMJQNDL.exe, Detection: malicious, Browse
                                                                                                      • Filename: doc2022020909100101019.exe, Detection: malicious, Browse
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:Q.P...........!..................... ... ....... .......................`............@.................................\...O.... ..0................>...@......$................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H.......`e..............c..X...P .......................................R..p..4j../ux..;....B.6z.R...K.KT....i.r.p>.m~.p.?YQ.~16~v....J.h.}..k.......&...E....p..Ix..t;.uT7Ph..(.Rv:...y..qp...dX3...bu..{....*"..}....*V.(i.....(......}....*2.{....oj...*2.{....ok...*B..(....&..(....*...0...........oj........YE....{...............{...f...............f.......A...A...A...A...1...A...V...8<....t......{.....om...ol....or.....+U..om.....{.....o....oj...on.....o....o{...t.....o....o}.

                                                                                                      C:\Users\user\AppData\Local\Temp\Zip.exe

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32256
                                                                                                      Entropy (8bit):5.050531187823917
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:KfkVQ748aUKN6C8/3g2L4QDL0Lk24jXPlfLoem/xYUIoPBsNJc:RW7PTKF8fPdDL42XPUIc
                                                                                                      MD5:AF07E88EC22CC90CEBFDA29517F101B9
                                                                                                      SHA1:A9E6F4AE24ABF76966D7DB03AF9C802E83760143
                                                                                                      SHA-256:1632FBFF8EDC50F2C7EF7BB2FE9B2C17E6472094F0D365A98E0DEC2A12FA8EC2
                                                                                                      SHA-512:B4575AF98071FC8D46C022E24BFB2C1567D7E5F3DE0D8FB5FEE6F876985C7780A5B145F645725FF27A15367162AA08490AC2F8DD59D705663094FE4E1EEEC7BC
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Zip.exe, Author: unknown
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      • Antivirus: ReversingLabs, Detection: 76%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................D...6.......c... ........@.. ....................................`..................................b..K........1........................................................................... ............... ..H............text....C... ...D.................. ..`.sdata..8............H..............@....rsrc....1.......2...J..............@..@.reloc...............|..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\tmp6F29.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1650
                                                                                                      Entropy (8bit):5.179538546765989
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpLtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3l
                                                                                                      MD5:0EA7371BC4169EDB1BFDBB343B9F9B8B
                                                                                                      SHA1:85076F6A6DE5E55E0243E302544D4E4AB4C4CE35
                                                                                                      SHA-256:ED2EEFE497AAED956136D2A8E6487A947DF00EFABBEA7EBC010EE65B9ADBD5AD
                                                                                                      SHA-512:0CCC4104DA6CB7B9A6F5E1BAFD3809E73DB0B6DA6B2D98AE65D4025128A2944648E12756183F71C732E870BD91835311EF30529110BBCD77B143E911CCBD52D0
                                                                                                      Malicious:true
                                                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                                                                                      C:\Users\user\AppData\Local\Temp\tmp85AA.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1650
                                                                                                      Entropy (8bit):5.179538546765989
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpLtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3l
                                                                                                      MD5:0EA7371BC4169EDB1BFDBB343B9F9B8B
                                                                                                      SHA1:85076F6A6DE5E55E0243E302544D4E4AB4C4CE35
                                                                                                      SHA-256:ED2EEFE497AAED956136D2A8E6487A947DF00EFABBEA7EBC010EE65B9ADBD5AD
                                                                                                      SHA-512:0CCC4104DA6CB7B9A6F5E1BAFD3809E73DB0B6DA6B2D98AE65D4025128A2944648E12756183F71C732E870BD91835311EF30529110BBCD77B143E911CCBD52D0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                                                                                      C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1190400
                                                                                                      Entropy (8bit):7.367544982340551
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:AlGce7MTyPdLX2tuCAe/ZX81MjOxltKwJRWDnFeoS0EnTojbFA4Pdox/O:7GjKrJEFTEnTaFxoF
                                                                                                      MD5:EB529EFE16B4F7171FC8C4E132CE0C60
                                                                                                      SHA1:57847E14C4E9B3D11D03BEC969B1C79C34C1D434
                                                                                                      SHA-256:445EE45F82C11BDAAEEF1A816C54D537307AFF9CB575ACFBC214ECA86231E133
                                                                                                      SHA-512:63DD2F870475A2E874A8055157AFF763CDD0450EE22EA4CBC9D5B636C931B4C4BC89EFAA4D9C4B88181803F9C93232BB4D879FA0DC82E0A6EF2078B194B97227
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............P..|............... ........@.. ....................................@.....................................O.......l....................`.......F..T............................................ ............... ..H............text....z... ...|.................. ..`.rsrc...l............~..............@..@.reloc.......`.......(..............@..B.......................H........ ................. ............................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....o....('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+..*.0......

                                                                                                      C:\Users\user\Desktop\Newtonsoft.Json.dll

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):407776
                                                                                                      Entropy (8bit):6.080910017085125
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:/+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWk:WPw2PjCLe3a6Q70zbR
                                                                                                      MD5:F75FE8D06448D07720D5456F2A327F08
                                                                                                      SHA1:DBA5D60848A7C24CE837225709D9E23690BB5CB3
                                                                                                      SHA-256:977998AEC486395EABA6CE5661648425A1A181CE18C2C87C6288AF62B87D5ECA
                                                                                                      SHA-512:EB05696F92881A698B7DEF0F8852286212A5EB235A2FF8A41460DEDBC6AE1964BFBEF613D3BEC736DF66525BF6E5A6C95FF5E0A71C904FA70B5C6675E2275A34
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:Q.P...........!..................... ... ....... .......................`............@.................................\...O.... ..0................>...@......$................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H.......`e..............c..X...P .......................................R..p..4j../ux..;....B.6z.R...K.KT....i.r.p>.m~.p.?YQ.~16~v....J.h.}..k.......&...E....p..Ix..t;.uT7Ph..(.Rv:...y..qp...dX3...bu..{....*"..}....*V.(i.....(......}....*2.{....oj...*2.{....ok...*B..(....&..(....*...0...........oj........YE....{...............{...f...............f.......A...A...A...A...1...A...V...8<....t......{.....om...ol....or.....+U..om.....{.....o....oj...on.....o....o{...t.....o....o}.

                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1572864
                                                                                                      Entropy (8bit):4.341030762989627
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:H8sysTpPh7vlhCDw+y5U0wBc9B2o2CjqL2syUBCPdUSLnmOI3DChr:csysTpPh7vlhCDwiDO
                                                                                                      MD5:B83C19B329A8E5249C80FDE1C0FBE13C
                                                                                                      SHA1:8D65B680C245F77CC1E34CEA0FD1445849B98C1B
                                                                                                      SHA-256:EEA8A0433E933772CD5E26D8C857119220B45F2DC7CAB02514E85FDD930A95DF
                                                                                                      SHA-512:DD93447BDF86D9A26A41513BB1390D5B76E8B2931CB9141804DE4540E1732A55DA65332AFE7CFBBB3655A7B137C14813949463C85CE09A9566A129940AC594DB
                                                                                                      Malicious:false
                                                                                                      Preview:regfZ...Z...p.\..,.................. ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...c8.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):3.7694919964218427
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:ns1M74nhfWGjIqNLK3XJ5GTyemcJwKpfi4RjU2xevhfWGjIq:EKcye
                                                                                                      MD5:1807C2DA34BD987F6ADC37BEED21B7B8
                                                                                                      SHA1:739481E905CDDBB2C1F77A6EFFBB34315417CFCB
                                                                                                      SHA-256:B27A9F8F6B0FE38A40EC2C2CA8C8B39AAECCFAC373F94899EA510E1154CD79EA
                                                                                                      SHA-512:B1C59FC58BAD96A66089F1458B9C50DD874B7C14289FCB2A8803DAB55795136239C9AB93134FC8EA7DC028B2E2FFB68BA208873977243C42F2E8701000410D0A
                                                                                                      Malicious:false
                                                                                                      Preview:regfY...Y...p.\..,.................. ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...c8.................................................................................................................................................................................................................................................................................................................................................HvLE.>......Y....P......8.<2.X....bf...................@......hbin................p.\..,..........nk,.....c8......p........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .,b..c8...... ...........P............... .......Z.......................Root........lf......Root....nk .,b..c8...................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Entropy (8bit):7.367544982340551
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                      File name:DHL #109#.exe
                                                                                                      File size:1190400
                                                                                                      MD5:eb529efe16b4f7171fc8c4e132ce0c60
                                                                                                      SHA1:57847e14c4e9b3d11d03bec969b1c79c34c1d434
                                                                                                      SHA256:445ee45f82c11bdaaeef1a816c54d537307aff9cb575acfbc214eca86231e133
                                                                                                      SHA512:63dd2f870475a2e874a8055157aff763cdd0450ee22ea4cbc9d5b636c931b4c4bc89efaa4d9c4b88181803f9c93232bb4d879fa0dc82e0a6ef2078b194b97227
                                                                                                      SSDEEP:24576:AlGce7MTyPdLX2tuCAe/ZX81MjOxltKwJRWDnFeoS0EnTojbFA4Pdox/O:7GjKrJEFTEnTaFxoF
                                                                                                      TLSH:E2456A3A597A07E2D439F73502B1C430B6ADAF927313C958ADDA3EC2DF321806D9A51D
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............P..|............... ........@.. ....................................@................................

                                                                                                      File Icon

                                                                                                      Icon Hash:c4c4c4c8ccd4d0c4

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x509a0e
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x63DCDB1D [Fri Feb 3 09:59:57 2023 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      jmp dword ptr [00402000h]
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1099b90x4f.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x10a0000x1a86c.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1260000xc.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x1046180x54.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x20000x107a140x107c00False0.7890115891587678data7.513961549932198IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x10a0000x1a86c0x1aa00False0.18159477699530516data4.196918446455818IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x1260000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                      RT_ICON0x10a1d80x1dd8PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                      RT_ICON0x10bfb00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536
                                                                                                      RT_ICON0x11c7d80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384
                                                                                                      RT_ICON0x120a000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216
                                                                                                      RT_ICON0x122fa80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096
                                                                                                      RT_ICON0x1240500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024
                                                                                                      RT_GROUP_ICON0x1244b80x5adata
                                                                                                      RT_VERSION0x1245140x356data

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      mscoree.dll_CorExeMain

                                                                                                      Network Behavior

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Feb 3, 2023 22:39:54.394956112 CET4969880192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:39:54.431924105 CET8049698208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:39:54.432086945 CET4969880192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:39:54.432769060 CET4969880192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:39:54.470513105 CET8049698208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:39:54.544879913 CET4969880192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:00.678345919 CET4969880192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:00.714962959 CET8049698208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:00.715116978 CET4969880192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:00.761763096 CET4970080192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:00.799536943 CET8049700208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:00.799612999 CET4970080192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:00.799840927 CET4970080192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:00.837584972 CET8049700208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:00.945302963 CET4970080192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:09.221915960 CET4970080192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:09.258157969 CET8049700208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:09.258286953 CET4970080192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:09.417965889 CET4970180192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:09.454423904 CET8049701208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:09.454529047 CET4970180192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:09.454806089 CET4970180192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:09.492547035 CET8049701208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:09.633541107 CET4970180192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:17.472984076 CET4970380192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:17.509562969 CET8049703208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:17.509699106 CET4970380192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:17.511776924 CET4970380192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:17.549612045 CET8049703208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:17.618606091 CET4970380192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:40.456475019 CET4970380192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:40.493937016 CET8049703208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:40.494081974 CET4970380192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:40.539910078 CET4971080192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:40.576241970 CET8049710208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:40.576359034 CET4971080192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:40.576634884 CET4971080192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:40.614341021 CET8049710208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:40.615566015 CET4971080192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:40.651834011 CET8049710208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:40.652040005 CET4971080192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:41.270363092 CET4971180192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:41.306651115 CET8049711208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:41.306761980 CET4971180192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:41.306978941 CET4971180192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:41.344449997 CET8049711208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:41.438124895 CET4971180192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:45.150598049 CET8049701208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:40:45.150731087 CET4970180192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:40:54.836849928 CET4971180192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:41:11.902285099 CET4971380192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:41:11.931803942 CET8049713208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:41:11.934271097 CET4971380192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:41:11.946316957 CET4971380192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:41:11.984361887 CET8049713208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:41:12.091984034 CET4971380192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:41:21.782710075 CET8049701208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:41:32.779378891 CET4971380192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:41:32.808584929 CET8049713208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:41:32.808671951 CET4971380192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:41:32.836050987 CET4971480192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:41:32.869904041 CET8049714208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:41:32.870340109 CET4971480192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:41:32.878995895 CET4971480192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:41:32.917643070 CET8049714208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:41:33.052405119 CET4971480192.168.2.5208.95.112.1
                                                                                                      Feb 3, 2023 22:42:10.179280996 CET8049714208.95.112.1192.168.2.5
                                                                                                      Feb 3, 2023 22:42:10.179466963 CET4971480192.168.2.5208.95.112.1

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Feb 3, 2023 22:39:54.350110054 CET5689453192.168.2.58.8.8.8
                                                                                                      Feb 3, 2023 22:39:54.375919104 CET53568948.8.8.8192.168.2.5
                                                                                                      Feb 3, 2023 22:40:00.732829094 CET5029553192.168.2.58.8.8.8
                                                                                                      Feb 3, 2023 22:40:00.752862930 CET53502958.8.8.8192.168.2.5
                                                                                                      Feb 3, 2023 22:40:09.249152899 CET6084153192.168.2.58.8.8.8
                                                                                                      Feb 3, 2023 22:40:09.266767979 CET53608418.8.8.8192.168.2.5
                                                                                                      Feb 3, 2023 22:40:17.387315989 CET6064953192.168.2.58.8.8.8
                                                                                                      Feb 3, 2023 22:40:17.417973995 CET53606498.8.8.8192.168.2.5
                                                                                                      Feb 3, 2023 22:40:40.517981052 CET4972453192.168.2.58.8.8.8
                                                                                                      Feb 3, 2023 22:40:40.538813114 CET53497248.8.8.8192.168.2.5
                                                                                                      Feb 3, 2023 22:40:41.235953093 CET6145253192.168.2.58.8.8.8
                                                                                                      Feb 3, 2023 22:40:41.255065918 CET53614528.8.8.8192.168.2.5
                                                                                                      Feb 3, 2023 22:41:11.849711895 CET5148453192.168.2.58.8.8.8
                                                                                                      Feb 3, 2023 22:41:11.880604029 CET53514848.8.8.8192.168.2.5
                                                                                                      Feb 3, 2023 22:41:32.807945013 CET6344653192.168.2.58.8.8.8
                                                                                                      Feb 3, 2023 22:41:32.827498913 CET53634468.8.8.8192.168.2.5

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Feb 3, 2023 22:39:54.350110054 CET192.168.2.58.8.8.80xcc28Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:40:00.732829094 CET192.168.2.58.8.8.80xa91aStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:40:09.249152899 CET192.168.2.58.8.8.80x4a7aStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:40:17.387315989 CET192.168.2.58.8.8.80x72aaStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:40:40.517981052 CET192.168.2.58.8.8.80x422dStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:40:41.235953093 CET192.168.2.58.8.8.80x9148Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:41:11.849711895 CET192.168.2.58.8.8.80xb6ecStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:41:32.807945013 CET192.168.2.58.8.8.80x490Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Feb 3, 2023 22:39:54.375919104 CET8.8.8.8192.168.2.50xcc28No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:40:00.752862930 CET8.8.8.8192.168.2.50xa91aNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:40:09.266767979 CET8.8.8.8192.168.2.50x4a7aNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:40:17.417973995 CET8.8.8.8192.168.2.50x72aaNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:40:40.538813114 CET8.8.8.8192.168.2.50x422dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:40:41.255065918 CET8.8.8.8192.168.2.50x9148No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:41:11.880604029 CET8.8.8.8192.168.2.50xb6ecNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                      Feb 3, 2023 22:41:32.827498913 CET8.8.8.8192.168.2.50x490No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • ip-api.com

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      0192.168.2.549698208.95.112.180C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Feb 3, 2023 22:39:54.432769060 CET93OUTGET /json/ HTTP/1.1
                                                                                                      Host: ip-api.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Feb 3, 2023 22:39:54.470513105 CET94INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 03 Feb 2023 21:39:54 GMT
                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                      Content-Length: 293
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      X-Ttl: 60
                                                                                                      X-Rl: 44
                                                                                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                      Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      1192.168.2.549700208.95.112.180C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Feb 3, 2023 22:40:00.799840927 CET94OUTGET /json/ HTTP/1.1
                                                                                                      Host: ip-api.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Feb 3, 2023 22:40:00.837584972 CET95INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 03 Feb 2023 21:40:00 GMT
                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                      Content-Length: 293
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      X-Ttl: 53
                                                                                                      X-Rl: 43
                                                                                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                      Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      2192.168.2.549701208.95.112.180C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Feb 3, 2023 22:40:09.454806089 CET96OUTGET /json/ HTTP/1.1
                                                                                                      Host: ip-api.com
                                                                                                      Feb 3, 2023 22:40:09.492547035 CET96INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 03 Feb 2023 21:40:09 GMT
                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                      Content-Length: 293
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      X-Ttl: 44
                                                                                                      X-Rl: 42
                                                                                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                      Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      3192.168.2.549703208.95.112.180C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Feb 3, 2023 22:40:17.511776924 CET107OUTGET /json/ HTTP/1.1
                                                                                                      Host: ip-api.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Feb 3, 2023 22:40:17.549612045 CET107INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 03 Feb 2023 21:40:17 GMT
                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                      Content-Length: 293
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      X-Ttl: 36
                                                                                                      X-Rl: 41
                                                                                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                      Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      4192.168.2.549710208.95.112.180C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Feb 3, 2023 22:40:40.576634884 CET175OUTGET /json/ HTTP/1.1
                                                                                                      Host: ip-api.com
                                                                                                      Feb 3, 2023 22:40:40.614341021 CET176INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 03 Feb 2023 21:40:40 GMT
                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                      Content-Length: 293
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      X-Ttl: 13
                                                                                                      X-Rl: 40
                                                                                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                      Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      5192.168.2.549711208.95.112.180C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Feb 3, 2023 22:40:41.306978941 CET177OUTGET /json/ HTTP/1.1
                                                                                                      Host: ip-api.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Feb 3, 2023 22:40:41.344449997 CET178INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 03 Feb 2023 21:40:41 GMT
                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                      Content-Length: 293
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      X-Ttl: 13
                                                                                                      X-Rl: 39
                                                                                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                      Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      6192.168.2.549713208.95.112.180C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Feb 3, 2023 22:41:11.946316957 CET186OUTGET /json/ HTTP/1.1
                                                                                                      Host: ip-api.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Feb 3, 2023 22:41:11.984361887 CET186INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 03 Feb 2023 21:41:11 GMT
                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                      Content-Length: 293
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      X-Ttl: 60
                                                                                                      X-Rl: 44
                                                                                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                      Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      7192.168.2.549714208.95.112.180C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Feb 3, 2023 22:41:32.878995895 CET187OUTGET /json/ HTTP/1.1
                                                                                                      Host: ip-api.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Feb 3, 2023 22:41:32.917643070 CET188INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 03 Feb 2023 21:41:32 GMT
                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                      Content-Length: 293
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      X-Ttl: 39
                                                                                                      X-Rl: 43
                                                                                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                      Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:22:39:29
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      Imagebase:0x4d0000
                                                                                                      File size:1190400 bytes
                                                                                                      MD5 hash:EB529EFE16B4F7171FC8C4E132CE0C60
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Predator, Description: Yara detected Predator, Source: 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000000.00000002.371842107.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_Predator, Description: Yara detected Predator, Source: 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000000.00000002.371842107.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                      Reputation:low

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:22:39:50
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp6F29.tmp
                                                                                                      Imagebase:0x90000
                                                                                                      File size:185856 bytes
                                                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:22:39:50
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7fcd70000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:22:39:51
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Users\user\Desktop\DHL #109#.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:{path}
                                                                                                      Imagebase:0x7a0000
                                                                                                      File size:1190400 bytes
                                                                                                      MD5 hash:EB529EFE16B4F7171FC8C4E132CE0C60
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.601389886.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000003.00000002.590990822.0000000000466000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000003.00000002.601389886.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                      Reputation:low

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:22:39:53
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:1190400 bytes
                                                                                                      MD5 hash:EB529EFE16B4F7171FC8C4E132CE0C60
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Predator, Description: Yara detected Predator, Source: 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000004.00000002.564712565.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                      • Detection: 21%, ReversingLabs
                                                                                                      Reputation:low

                                                                                                      General

                                                                                                      Target ID:5
                                                                                                      Start time:22:40:14
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\Zip.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\Zip.exe"
                                                                                                      Imagebase:0x14b55360000
                                                                                                      File size:32256 bytes
                                                                                                      MD5 hash:AF07E88EC22CC90CEBFDA29517F101B9
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000005.00000000.405942498.0000014B55362000.00000002.00000001.01000000.0000000A.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Zip.exe, Author: unknown
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 100%, Avira
                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                      • Detection: 76%, ReversingLabs
                                                                                                      Reputation:moderate

                                                                                                      General

                                                                                                      Target ID:6
                                                                                                      Start time:22:40:14
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\update_230310.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\update_230310.exe" / start
                                                                                                      Imagebase:0x10000
                                                                                                      File size:1190400 bytes
                                                                                                      MD5 hash:EB529EFE16B4F7171FC8C4E132CE0C60
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:low

                                                                                                      General

                                                                                                      Target ID:11
                                                                                                      Start time:22:40:16
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\update_230310.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\update_230310.exe" / start
                                                                                                      Imagebase:0xb20000
                                                                                                      File size:1190400 bytes
                                                                                                      MD5 hash:EB529EFE16B4F7171FC8C4E132CE0C60
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Reputation:low

                                                                                                      General

                                                                                                      Target ID:12
                                                                                                      Start time:22:40:22
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\update_230310.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\update_230310.exe" / start
                                                                                                      Imagebase:0xc0000
                                                                                                      File size:1190400 bytes
                                                                                                      MD5 hash:EB529EFE16B4F7171FC8C4E132CE0C60
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:low

                                                                                                      General

                                                                                                      Target ID:20
                                                                                                      Start time:22:40:29
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\update_230310.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\update_230310.exe" / start
                                                                                                      Imagebase:0x230000
                                                                                                      File size:1190400 bytes
                                                                                                      MD5 hash:EB529EFE16B4F7171FC8C4E132CE0C60
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Reputation:low

                                                                                                      General

                                                                                                      Target ID:21
                                                                                                      Start time:22:40:29
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 1432
                                                                                                      Imagebase:0x20000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Target ID:23
                                                                                                      Start time:22:40:38
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 1428
                                                                                                      Imagebase:0x20000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Target ID:24
                                                                                                      Start time:22:41:02
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDGUedyFqQlpw" /XML "C:\Users\user\AppData\Local\Temp\tmp85AA.tmp
                                                                                                      Imagebase:0x90000
                                                                                                      File size:185856 bytes
                                                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Target ID:25
                                                                                                      Start time:22:41:02
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7fcd70000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      General

                                                                                                      Target ID:26
                                                                                                      Start time:22:41:03
                                                                                                      Start date:03/02/2023
                                                                                                      Path:C:\Users\user\AppData\Roaming\SDGUedyFqQlpw.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:{path}
                                                                                                      Imagebase:0xb60000
                                                                                                      File size:1190400 bytes
                                                                                                      MD5 hash:EB529EFE16B4F7171FC8C4E132CE0C60
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 0000001A.00000002.603205973.000000000309F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:6.2%
                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:162
                                                                                                        Total number of Limit Nodes:14
                                                                                                        execution_graph 20827 d163b0 20828 d163c0 20827->20828 20832 d16410 20828->20832 20836 d164d7 20828->20836 20829 d163d1 20833 d1644a 20832->20833 20834 d16541 20833->20834 20840 d16a88 20833->20840 20834->20829 20837 d164dc 20836->20837 20838 d16541 20837->20838 20839 d16a88 6 API calls 20837->20839 20838->20829 20839->20838 20841 d16a95 20840->20841 20843 d16acf 20841->20843 20844 d168e4 20841->20844 20843->20834 20845 d168e9 20844->20845 20847 d173c0 20845->20847 20848 d169dc 20845->20848 20847->20847 20849 d169e7 20848->20849 20855 d169ec 20849->20855 20851 d1742f 20860 d1b818 20851->20860 20868 d1b830 20851->20868 20852 d17468 20852->20847 20856 d169f7 20855->20856 20857 d17b0e 20856->20857 20876 53ee660 20856->20876 20879 53ee650 20856->20879 20857->20851 20862 d1b861 20860->20862 20864 d1b953 20860->20864 20861 d1b86d 20861->20852 20862->20861 20863 d1b8ae 20862->20863 20922 d1bb78 20862->20922 20926 d1ce78 20863->20926 20938 d1ce88 20863->20938 20864->20852 20870 d1b861 20868->20870 20871 d1b953 20868->20871 20869 d1b86d 20869->20852 20870->20869 20872 d1b8ae 20870->20872 20875 d1bb78 4 API calls 20870->20875 20871->20852 20873 d1ce88 3 API calls 20872->20873 20874 d1ce78 3 API calls 20872->20874 20873->20871 20874->20871 20875->20872 20882 53eead0 20876->20882 20877 53ee66e 20877->20857 20880 53ee66e 20879->20880 20881 53eead0 4 API calls 20879->20881 20880->20857 20881->20880 20886 d1bbc8 20882->20886 20895 d1bbb8 20882->20895 20883 53eeadf 20883->20877 20904 d1b05c 20886->20904 20889 d1bbf3 20889->20883 20890 d1bbeb 20890->20889 20891 d1bdf0 GetModuleHandleW 20890->20891 20892 d1be1d 20891->20892 20892->20883 20896 d1bbdb 20895->20896 20897 d1b05c GetModuleHandleW 20895->20897 20898 d1bbf3 20896->20898 20902 d1be50 2 API calls 20896->20902 20903 d1be40 2 API calls 20896->20903 20897->20896 20898->20883 20899 d1bbeb 20899->20898 20900 d1bdf0 GetModuleHandleW 20899->20900 20901 d1be1d 20900->20901 20901->20883 20902->20899 20903->20899 20905 d1bda8 GetModuleHandleW 20904->20905 20907 d1bbdb 20905->20907 20907->20889 20908 d1be40 20907->20908 20913 d1be50 20907->20913 20909 d1b05c GetModuleHandleW 20908->20909 20910 d1be64 20908->20910 20909->20910 20912 d1be89 20910->20912 20918 d1b0b0 20910->20918 20912->20890 20914 d1b05c GetModuleHandleW 20913->20914 20915 d1be64 20914->20915 20916 d1b0b0 LoadLibraryExW 20915->20916 20917 d1be89 20915->20917 20916->20917 20917->20890 20919 d1c030 LoadLibraryExW 20918->20919 20921 d1c0a9 20919->20921 20921->20912 20924 d1bbc8 3 API calls 20922->20924 20925 d1bbb8 3 API calls 20922->20925 20923 d1bb82 20923->20863 20924->20923 20925->20923 20927 d1ceb2 20926->20927 20950 d1b13c 20927->20950 20929 d1cf14 20935 d1b13c GetModuleHandleW 20929->20935 20954 d1d380 20929->20954 20930 d1cf30 20931 d1b05c GetModuleHandleW 20930->20931 20933 d1cf59 20930->20933 20932 d1cf83 20931->20932 20958 d1db23 20932->20958 20966 d1dc28 20932->20966 20935->20930 20939 d1ceb2 20938->20939 20940 d1b13c GetModuleHandleW 20939->20940 20941 d1cf14 20940->20941 20946 d1d380 GetModuleHandleW 20941->20946 20947 d1b13c GetModuleHandleW 20941->20947 20942 d1cf30 20943 d1b05c GetModuleHandleW 20942->20943 20945 d1cf59 20942->20945 20944 d1cf83 20943->20944 20948 d1db23 2 API calls 20944->20948 20949 d1dc28 CreateWindowExW 20944->20949 20946->20942 20947->20942 20948->20945 20949->20945 20951 d1b147 20950->20951 20952 d1d2f3 20951->20952 20969 d1d53b 20951->20969 20952->20929 20952->20952 20955 d1d3ad 20954->20955 20956 d1d42e 20955->20956 20957 d1d53b GetModuleHandleW 20955->20957 20957->20956 20959 d1dbed 20958->20959 20960 d1dc31 20959->20960 20961 d1dc65 CreateWindowExW 20959->20961 20979 d1b1ec 20960->20979 20965 d1dd9c 20961->20965 20965->20965 20967 d1dc5d 20966->20967 20968 d1b1ec CreateWindowExW 20966->20968 20967->20933 20968->20967 20970 d1d50a 20969->20970 20978 d1d6e5 20969->20978 20970->20969 20971 d1b05c GetModuleHandleW 20970->20971 20972 d1d587 20970->20972 20971->20970 20973 d1b05c GetModuleHandleW 20972->20973 20972->20978 20974 d1d66b 20973->20974 20975 d1b05c GetModuleHandleW 20974->20975 20974->20978 20976 d1d6b9 20975->20976 20977 d1b05c GetModuleHandleW 20976->20977 20976->20978 20977->20978 20978->20952 20980 d1dc78 CreateWindowExW 20979->20980 20982 d1dd9c 20980->20982 20986 d16ba0 20987 d16c06 20986->20987 20991 d16d51 20987->20991 20997 d16d60 20987->20997 20988 d16cb5 20992 d16dc2 DuplicateHandle 20991->20992 20993 d16d5a 20991->20993 20995 d16e5e 20992->20995 21000 d15c6c 20993->21000 20995->20988 20998 d16d8e 20997->20998 20999 d15c6c DuplicateHandle 20997->20999 20998->20988 20999->20998 21001 d16dc8 DuplicateHandle 21000->21001 21002 d16d8e 21001->21002 21002->20988 21003 d1e060 21005 d1e076 21003->21005 21004 d1e1b9 21005->21004 21007 d1de90 SetWindowLongW 21005->21007 21007->21004 21008 d1b224 21009 d1dec0 SetWindowLongW 21008->21009 21010 d1df2c 21009->21010 21011 53ee528 21014 53ed1b0 21011->21014 21013 53ee547 21015 53ed1bb 21014->21015 21018 d169ec 4 API calls 21015->21018 21019 d17870 21015->21019 21016 53ee5cc 21016->21013 21018->21016 21020 d1785a 21019->21020 21020->21019 21021 d17b0e 21020->21021 21022 53ee660 4 API calls 21020->21022 21023 53ee650 4 API calls 21020->21023 21021->21016 21022->21021 21023->21021 20983 53ef5d0 20984 53eead0 4 API calls 20983->20984 20985 53ef5de 20984->20985 21024 53eee00 21025 53eee0d 21024->21025 21026 d1bbc8 3 API calls 21024->21026 21027 d1bbb8 3 API calls 21024->21027 21026->21025 21027->21025

                                                                                                        Executed Functions

                                                                                                        Function 00D1DB23 Relevance: 1.7, APIs: 1, Instructions: 237COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 d1db23-d1dc2f 2 d1dc31-d1dc58 call d1b1ec 0->2 3 d1dc65-d1dcde 0->3 9 d1dc5d-d1dc5e 2->9 5 d1dce0-d1dce6 3->5 6 d1dce9-d1dcf0 3->6 5->6 7 d1dcf2-d1dcf8 6->7 8 d1dcfb-d1dd9a CreateWindowExW 6->8 7->8 11 d1dda3-d1dddb 8->11 12 d1dd9c-d1dda2 8->12 16 d1dde8 11->16 17 d1dddd-d1dde0 11->17 12->11 18 d1dde9 16->18 17->16 18->18
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00D1DD8A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 716092398-0
                                                                                                        • Opcode ID: bcc81959b9d5158f0e445eb5ee80a491af73a8397f34d39cbb892bec41814bec
                                                                                                        • Instruction ID: 61ce28ce5fdda24ceb4fb8bd094cd6828210390fb00ded45604d3655307703a4
                                                                                                        • Opcode Fuzzy Hash: bcc81959b9d5158f0e445eb5ee80a491af73a8397f34d39cbb892bec41814bec
                                                                                                        • Instruction Fuzzy Hash: 44916CB1C09388DFCB12CFA9C8509CDBFB1EF0A310F1981ABE945AB262D7349945CB55
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D1BBC8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 19 d1bbc8-d1bbdd call d1b05c 22 d1bbf3-d1bbf7 19->22 23 d1bbdf 19->23 24 d1bbf9-d1bc03 22->24 25 d1bc0b-d1bc4c 22->25 72 d1bbe5 call d1be50 23->72 73 d1bbe5 call d1be40 23->73 24->25 30 d1bc59-d1bc67 25->30 31 d1bc4e-d1bc56 25->31 26 d1bbeb-d1bbed 26->22 27 d1bd28-d1bde8 26->27 67 d1bdf0-d1be1b GetModuleHandleW 27->67 68 d1bdea-d1bded 27->68 33 d1bc69-d1bc6e 30->33 34 d1bc8b-d1bc8d 30->34 31->30 36 d1bc70-d1bc77 call d1b068 33->36 37 d1bc79 33->37 35 d1bc90-d1bc97 34->35 39 d1bca4-d1bcab 35->39 40 d1bc99-d1bca1 35->40 38 d1bc7b-d1bc89 36->38 37->38 38->35 43 d1bcb8-d1bcc1 call d1b078 39->43 44 d1bcad-d1bcb5 39->44 40->39 49 d1bcc3-d1bccb 43->49 50 d1bcce-d1bcd3 43->50 44->43 49->50 52 d1bcf1-d1bcfe 50->52 53 d1bcd5-d1bcdc 50->53 59 d1bd21-d1bd27 52->59 60 d1bd00-d1bd1e 52->60 53->52 55 d1bcde-d1bcee call d198f8 call d1b088 53->55 55->52 60->59 69 d1be24-d1be38 67->69 70 d1be1d-d1be23 67->70 68->67 70->69 72->26 73->26
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID:
                                                                                                        • API String ID: 4139908857-0
                                                                                                        • Opcode ID: e0d8189c76a97ec36b0b59b64a73d31fdbca5bc098fca9e0c0b9adc5f2f32c8a
                                                                                                        • Instruction ID: 147af7b8329d73532d60e558f4229bd5780ecf15f097026a196ea0a08aef285c
                                                                                                        • Opcode Fuzzy Hash: e0d8189c76a97ec36b0b59b64a73d31fdbca5bc098fca9e0c0b9adc5f2f32c8a
                                                                                                        • Instruction Fuzzy Hash: 80714670A00B059FD724DF2AD05179ABBF1FF88710F04892ED48AD7A50DB35E945CBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D1B1E3 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 74 d1b1e3-d1dcde 76 d1dce0-d1dce6 74->76 77 d1dce9-d1dcf0 74->77 76->77 78 d1dcf2-d1dcf8 77->78 79 d1dcfb-d1dd33 77->79 78->79 80 d1dd3b-d1dd9a CreateWindowExW 79->80 81 d1dda3-d1dddb 80->81 82 d1dd9c-d1dda2 80->82 86 d1dde8 81->86 87 d1dddd-d1dde0 81->87 82->81 88 d1dde9 86->88 87->86 88->88
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00D1DD8A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 716092398-0
                                                                                                        • Opcode ID: 1b9bcf8a7aba7576648791b04cce214bd687537512e2a8188455a4696bce3f33
                                                                                                        • Instruction ID: 3257998a46958cc76d9b6cb64d1d49dc9b9387eaaf9bd7e4d8207960713ae4cf
                                                                                                        • Opcode Fuzzy Hash: 1b9bcf8a7aba7576648791b04cce214bd687537512e2a8188455a4696bce3f33
                                                                                                        • Instruction Fuzzy Hash: A751C3B1D00349EFDB14CF99D984ADEBBB6BF48310F24852AE419AB250DB749985CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D1B1EC Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 89 d1b1ec-d1dcde 91 d1dce0-d1dce6 89->91 92 d1dce9-d1dcf0 89->92 91->92 93 d1dcf2-d1dcf8 92->93 94 d1dcfb-d1dd9a CreateWindowExW 92->94 93->94 96 d1dda3-d1dddb 94->96 97 d1dd9c-d1dda2 94->97 101 d1dde8 96->101 102 d1dddd-d1dde0 96->102 97->96 103 d1dde9 101->103 102->101 103->103
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00D1DD8A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 716092398-0
                                                                                                        • Opcode ID: 3d5a2e600864c756b675cbb25fd9ba77622ca52b8ab83355abf787d9ee7558b9
                                                                                                        • Instruction ID: 504033d72ffd5bf0bc6777f829a5c65375e70e800ac55a7ebe5053dd15b41963
                                                                                                        • Opcode Fuzzy Hash: 3d5a2e600864c756b675cbb25fd9ba77622ca52b8ab83355abf787d9ee7558b9
                                                                                                        • Instruction Fuzzy Hash: 2B51B3B1D00309EFDB14CF99D584ADEBBB6BF48310F24852AE419AB250D7749985CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D1DC6D Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 104 d1dc6d-d1dcde 105 d1dce0-d1dce6 104->105 106 d1dce9-d1dcf0 104->106 105->106 107 d1dcf2-d1dcf8 106->107 108 d1dcfb-d1dd33 106->108 107->108 109 d1dd3b-d1dd9a CreateWindowExW 108->109 110 d1dda3-d1dddb 109->110 111 d1dd9c-d1dda2 109->111 115 d1dde8 110->115 116 d1dddd-d1dde0 110->116 111->110 117 d1dde9 115->117 116->115 117->117
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00D1DD8A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 716092398-0
                                                                                                        • Opcode ID: fd908690354d89450ce3ea2f0305613a9473ae95275817f094905eeed9e66a65
                                                                                                        • Instruction ID: db75e5da318bb93be377d29566733f6523ff7fd5aaede8857cd7b492a1aa9d1d
                                                                                                        • Opcode Fuzzy Hash: fd908690354d89450ce3ea2f0305613a9473ae95275817f094905eeed9e66a65
                                                                                                        • Instruction Fuzzy Hash: BD51B2B1D00309EFDB14CF99D984ADEFBB2BF48310F24852AE819AB250D7749985CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D16D51 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 118 d16d51-d16d58 119 d16dc2-d16e5c DuplicateHandle 118->119 120 d16d5a-d16d89 call d15c6c 118->120 122 d16e65-d16e82 119->122 123 d16e5e-d16e64 119->123 124 d16d8e-d16db4 120->124 123->122
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D16D8E,?,?,?,?,?), ref: 00D16E4F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: da4482b716a0d090121c613eba0e8cb010b9201d2d3c39b4854341c541ae8a78
                                                                                                        • Instruction ID: dbf073ba96bfdc74ca69ad9b53c9f1734204441b924561832fe184883f69047f
                                                                                                        • Opcode Fuzzy Hash: da4482b716a0d090121c613eba0e8cb010b9201d2d3c39b4854341c541ae8a78
                                                                                                        • Instruction Fuzzy Hash: 0B414776900209AFDB01CF99D944ADEBBF5FF48310F14806AE918A7320D775D954DFA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D1DE81 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 129 d1de81-d1de97 130 d1de99-d1de9b 129->130 131 d1de9d-d1de9f 129->131 130->131 132 d1dea1-d1dea3 call d1b224 131->132 133 d1dea5-d1dea9 131->133 132->133
                                                                                                        APIs
                                                                                                        • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00D1DEA8,?,?,?,?), ref: 00D1DF1D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LongWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 1378638983-0
                                                                                                        • Opcode ID: 046e496ee94a496b89b18d4935c685ba8093bd69754f534a5c53470352dc7378
                                                                                                        • Instruction ID: e806f525e8143aea9376aac7aaa9c27d0ff70a0c42b2c0ce1e304c00df5e7670
                                                                                                        • Opcode Fuzzy Hash: 046e496ee94a496b89b18d4935c685ba8093bd69754f534a5c53470352dc7378
                                                                                                        • Instruction Fuzzy Hash: 9721ACB1800249EFCB10DFA9E544ADEBFF5EF49320F14805AE458BB211C775A949CFA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D15C6C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 136 d15c6c-d16e5c DuplicateHandle 138 d16e65-d16e82 136->138 139 d16e5e-d16e64 136->139 139->138
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D16D8E,?,?,?,?,?), ref: 00D16E4F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: fe34fd3fc742279bfacc6a5e668cf9f4223dfec03e868662c1a0965bf9d1ac2e
                                                                                                        • Instruction ID: 77f77249927bd5a246d40703425b4b7e36fb090ab1f313d2b3e37032e37c1d0e
                                                                                                        • Opcode Fuzzy Hash: fe34fd3fc742279bfacc6a5e668cf9f4223dfec03e868662c1a0965bf9d1ac2e
                                                                                                        • Instruction Fuzzy Hash: BD21E3B5900249AFDB10CF9AD984ADEFFF4FB48320F14841AE919A7310D774A984DFA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D16DC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 142 d16dc0-d16e5c DuplicateHandle 143 d16e65-d16e82 142->143 144 d16e5e-d16e64 142->144 144->143
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D16D8E,?,?,?,?,?), ref: 00D16E4F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 4b21b3b356df9dc78d9c2a89f908ad408e97414ef927cfaaa0d142e7bce68779
                                                                                                        • Instruction ID: 853b0272e0592989e066c57c89bac9adfdd0ec79657b36feb969cd181a4f294c
                                                                                                        • Opcode Fuzzy Hash: 4b21b3b356df9dc78d9c2a89f908ad408e97414ef927cfaaa0d142e7bce68779
                                                                                                        • Instruction Fuzzy Hash: 0E21E3B5900209DFDB00CF99D584ADEFBF5FF48324F14841AE919A7210D774A955CF60
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D1B0B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 147 d1b0b0-d1c070 149 d1c072-d1c075 147->149 150 d1c078-d1c0a7 LoadLibraryExW 147->150 149->150 151 d1c0b0-d1c0cd 150->151 152 d1c0a9-d1c0af 150->152 152->151
                                                                                                        APIs
                                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D1BE89,00000800,00000000,00000000), ref: 00D1C09A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad
                                                                                                        • String ID:
                                                                                                        • API String ID: 1029625771-0
                                                                                                        • Opcode ID: 96684b7a469c6192ffae3af199442a1bc40403a41bd927b1675a159447efcd1c
                                                                                                        • Instruction ID: c5033e5243a98608f9655f94fb3a81d1528a2e429bbc278a06237a5b7320b137
                                                                                                        • Opcode Fuzzy Hash: 96684b7a469c6192ffae3af199442a1bc40403a41bd927b1675a159447efcd1c
                                                                                                        • Instruction Fuzzy Hash: 9A11F2B69002099FDB20DF9AD544BDEFBF4AB48314F14842EE419A7200C7B5A985CFA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D1C028 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 162 d1c028-d1c070 163 d1c072-d1c075 162->163 164 d1c078-d1c0a7 LoadLibraryExW 162->164 163->164 165 d1c0b0-d1c0cd 164->165 166 d1c0a9-d1c0af 164->166 166->165
                                                                                                        APIs
                                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D1BE89,00000800,00000000,00000000), ref: 00D1C09A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad
                                                                                                        • String ID:
                                                                                                        • API String ID: 1029625771-0
                                                                                                        • Opcode ID: 588e52f96ae6fc952710202f139bba92bb9ecf85898763eb6fb0322c4da6d8ea
                                                                                                        • Instruction ID: 0a211a88da1f11a463d9d4a6f95bcb533e0dc1675225ca4d43ab56468b88bd36
                                                                                                        • Opcode Fuzzy Hash: 588e52f96ae6fc952710202f139bba92bb9ecf85898763eb6fb0322c4da6d8ea
                                                                                                        • Instruction Fuzzy Hash: E81100B6D00209CFCB14CF9AD544ADEFBF4AB48320F14852AD819A7200C775A985CFA4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D1B05C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 155 d1b05c-d1bde8 157 d1bdf0-d1be1b GetModuleHandleW 155->157 158 d1bdea-d1bded 155->158 159 d1be24-d1be38 157->159 160 d1be1d-d1be23 157->160 158->157 160->159
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00D1BBDB), ref: 00D1BE0E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID:
                                                                                                        • API String ID: 4139908857-0
                                                                                                        • Opcode ID: 6e8a0dadf61992b873f0936c79fcf9efcb549a7db96d3d4b51d09e7c882bdcf4
                                                                                                        • Instruction ID: 28d2e3bca6528c060007c2537e4617e06a9b07b1ab8897bf4d064571d65e6c56
                                                                                                        • Opcode Fuzzy Hash: 6e8a0dadf61992b873f0936c79fcf9efcb549a7db96d3d4b51d09e7c882bdcf4
                                                                                                        • Instruction Fuzzy Hash: F51123B5C002499FCB10CF9AD544ADEFBF4EF48324F14845AD819A7200C374A585CFA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D1B224 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 169 d1b224-d1df2a SetWindowLongW 171 d1df33-d1df47 169->171 172 d1df2c-d1df32 169->172 172->171
                                                                                                        APIs
                                                                                                        • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00D1DEA8,?,?,?,?), ref: 00D1DF1D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LongWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 1378638983-0
                                                                                                        • Opcode ID: dd36502e74b35618ff293a0f967241bdebd687260c32da668c85029db746eed9
                                                                                                        • Instruction ID: 67a8f6e8a353be571056fabdbac528af8ec79a247bf85999a4182e92706e235a
                                                                                                        • Opcode Fuzzy Hash: dd36502e74b35618ff293a0f967241bdebd687260c32da668c85029db746eed9
                                                                                                        • Instruction Fuzzy Hash: 7811E3B58002499FDB10DF9AD584BDEBBF8EB48320F14845AE955A7700C3B4A985CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 053EEAD0 Relevance: .1, Instructions: 76COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.388921921.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_53e0000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1c370d7d9b26ed42011542dd55c9fed1d667699639de2020cd89d8b7a754f1a2
                                                                                                        • Instruction ID: 7b5c40a008bd86e19d8656dc5d138ebd3de83adb80de99d223263d84a36b0f54
                                                                                                        • Opcode Fuzzy Hash: 1c370d7d9b26ed42011542dd55c9fed1d667699639de2020cd89d8b7a754f1a2
                                                                                                        • Instruction Fuzzy Hash: 6B21C971618B169FE734CF28D456A56B7F5FB44250F040E29E0A7CBB81D774F8089B90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00B8D4D8 Relevance: .1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361463067.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_b8d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 06f69c89012d186d1fc3bfa87c3f2f227feef76aca283c0678c5b0ccdeb8649a
                                                                                                        • Instruction ID: 08213084091ddb043f47a2f6f5210b252594aade410d207e7834b54376baecd0
                                                                                                        • Opcode Fuzzy Hash: 06f69c89012d186d1fc3bfa87c3f2f227feef76aca283c0678c5b0ccdeb8649a
                                                                                                        • Instruction Fuzzy Hash: 5E21F871504340DFDB15EF14D9C0B57BFA5FBA8328F2485ABD8050B2A6C336D856D7A1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00B9D01C Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361512537.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_b9d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e1bba06bdb26de60da59357e5ec8795a3d353407cc41c3d5ea30cf5de7b2831d
                                                                                                        • Instruction ID: 9d52f88e68bc5cd6e23b37a62fbbb872217fc1e196c0f5c44e401d0e0019cc51
                                                                                                        • Opcode Fuzzy Hash: e1bba06bdb26de60da59357e5ec8795a3d353407cc41c3d5ea30cf5de7b2831d
                                                                                                        • Instruction Fuzzy Hash: 8621D075604340DFDF14DF25D9D4B16BBA5FB84314F24CAB9D84A4B246C33AD847CA61
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00B9D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361512537.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_b9d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 91effc672170ea14094c97c8f8bc97a1d02f57ea974a03ca8cc9466775b98a35
                                                                                                        • Instruction ID: 81e617ae0e3141028241ba636bdc48ebd84be82b4022aad74f278bf7e9b39d5d
                                                                                                        • Opcode Fuzzy Hash: 91effc672170ea14094c97c8f8bc97a1d02f57ea974a03ca8cc9466775b98a35
                                                                                                        • Instruction Fuzzy Hash: E721FF75604340EFDF05DF15D9C0B26BBA5FB88314F24CABDE8094B296C33AE846CA61
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00B9D006 Relevance: .1, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361512537.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_b9d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8d34071f8c70bd8168eb367eeab16dbcc834faf8f2a6aede44d7038f2824a7d4
                                                                                                        • Instruction ID: 857e9f212970b1eb78292f549dbd0e199be32fc09d498590371e6225e3bfd6b8
                                                                                                        • Opcode Fuzzy Hash: 8d34071f8c70bd8168eb367eeab16dbcc834faf8f2a6aede44d7038f2824a7d4
                                                                                                        • Instruction Fuzzy Hash: 6721C6755093808FDB02CF24D5A0B15BFB1EB45314F28C5EED8498B697C33AD84ACB62
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00B8D4D3 Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361463067.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_b8d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                                                                                        • Instruction ID: 0298dae154dfef09f60b2d0a2caa660122d229bf491ad036039023a8ba4fdee1
                                                                                                        • Opcode Fuzzy Hash: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                                                                                        • Instruction Fuzzy Hash: 9511D376504280DFCB12DF14D5C4B56BFB1FB94324F2486AAD8090B666C33AD856CBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00B9D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361512537.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_b9d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f45dc8ffff706fb05bcde3a42111e7466e20ebf3dc7f5347bf588368a02ed7e4
                                                                                                        • Instruction ID: 2a7b2eff3c8c40cb9318b05e7cfdf01800cf49be4e2423e671e693256a67e364
                                                                                                        • Opcode Fuzzy Hash: f45dc8ffff706fb05bcde3a42111e7466e20ebf3dc7f5347bf588368a02ed7e4
                                                                                                        • Instruction Fuzzy Hash: 93118B75904280DFDB12CF14D6C4B15FBA1FB84324F28C6ADD8494B696C33AD84ACB61
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 053EE558 Relevance: .1, Instructions: 52COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.388921921.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_53e0000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ce1b370eec405566b91301f56e0c9b40843334c2514725284a12e9b01144b69e
                                                                                                        • Instruction ID: 853f5fe344187f64dce96ed2687f82708a8be2a18e2e7c86a4098dea77c1eead
                                                                                                        • Opcode Fuzzy Hash: ce1b370eec405566b91301f56e0c9b40843334c2514725284a12e9b01144b69e
                                                                                                        • Instruction Fuzzy Hash: 2611C2303043505FD744AB28E42639B7AD6AB85708F10895DE5C98B3D3CEF6988687A1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 053ED1B0 Relevance: .1, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.388921921.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_53e0000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 374c35283b4e9c3562b5bd7961673905febb03e9a3e02c79ec2d72eed2026a6d
                                                                                                        • Instruction ID: 23f85a0e325a50c1df2543f343d21d2705413d1b40cf2cd73a25ba9a6f59a6eb
                                                                                                        • Opcode Fuzzy Hash: 374c35283b4e9c3562b5bd7961673905febb03e9a3e02c79ec2d72eed2026a6d
                                                                                                        • Instruction Fuzzy Hash: FE11C0303403115BE644A768D41639B6ACAEB84B08F10891DE2898B3C3CFF6A88697B1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00B8D6F5 Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361463067.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_b8d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4f1bed2a8138e370a9208f6e4a8c5efc35b2653533f75e703214b03bc3ed9141
                                                                                                        • Instruction ID: 5973b77cc9324ad440b39c769bde6841ff26e035a825316790480cbfe02f2ebb
                                                                                                        • Opcode Fuzzy Hash: 4f1bed2a8138e370a9208f6e4a8c5efc35b2653533f75e703214b03bc3ed9141
                                                                                                        • Instruction Fuzzy Hash: 2A01F2394083809AE7116A2ACCC4B66FFD8EF51724F18859BED191A2A6C379AC44D7B1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 053EF5D0 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.388921921.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_53e0000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: faacc0b02e68b860bf0687077dfaf950a37f25bf5253d569c4be66a5ef129350
                                                                                                        • Instruction ID: 0366afb8e7f0ccb7ea97637b2055b08af513627f95a4cd963c2cb05863b01a23
                                                                                                        • Opcode Fuzzy Hash: faacc0b02e68b860bf0687077dfaf950a37f25bf5253d569c4be66a5ef129350
                                                                                                        • Instruction Fuzzy Hash: 15011631700B258BD734EE78D092A66B7F6FB85750B040E29D09ACB790DBB0F8098B90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00B8D6F4 Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361463067.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_b8d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9556994df3da73f2a17e4cb530078decd38174303d9461e6398db12f05dd8fbf
                                                                                                        • Instruction ID: 72ee7217710f377d8199d98f8c691b1be226cfa1438b998b35e0515eca5e75ee
                                                                                                        • Opcode Fuzzy Hash: 9556994df3da73f2a17e4cb530078decd38174303d9461e6398db12f05dd8fbf
                                                                                                        • Instruction Fuzzy Hash: A1F0C2754043849EE7109E1ACC84B62FFE8EF51734F18C59AED185B296C3B99C44CBB1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 053EFBF0 Relevance: .0, Instructions: 32COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.388921921.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_53e0000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: de183c31ebeed0d8e2fb845fc33f391395217779914277a1248241aab1197648
                                                                                                        • Instruction ID: 7828555530aa865af7102e05c6b5608c8b6e7649442b9f6e610d1623e73d3b47
                                                                                                        • Opcode Fuzzy Hash: de183c31ebeed0d8e2fb845fc33f391395217779914277a1248241aab1197648
                                                                                                        • Instruction Fuzzy Hash: 2DF01731A116168FD31DDF2CD441A16BBE5FB05310B2109A6E065DF682D7A0E9C0CBE2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 053EE660 Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.388921921.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_53e0000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fc9a12fe18adf477e9945d9a378b9def596441340f7f8fd79d839cbc12460186
                                                                                                        • Instruction ID: 2b370247c604fffc0c0e2769556ac0bcef9cbdaa99ee6b7fda0dd120f5ad7d17
                                                                                                        • Opcode Fuzzy Hash: fc9a12fe18adf477e9945d9a378b9def596441340f7f8fd79d839cbc12460186
                                                                                                        • Instruction Fuzzy Hash: D7F0F8716047159FDB18DF18D4829A57BEAFB056587300C99E42ACF342D7A2E8038B95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 053EEE00 Relevance: .0, Instructions: 28COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.388921921.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_53e0000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c6c865bb712f653e56833d340f51b8a35ca41490d3b1794761d60d8e88cd0808
                                                                                                        • Instruction ID: 5dbfc15e359d3fb514e4249c0344c381c22a82d0d28edc07d3b223dce4eab694
                                                                                                        • Opcode Fuzzy Hash: c6c865bb712f653e56833d340f51b8a35ca41490d3b1794761d60d8e88cd0808
                                                                                                        • Instruction Fuzzy Hash: 0DF01C706047109BCB18DF2CE4429A57BE5FF4926833049ADE029CF656D772E803CBD4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 053EE650 Relevance: .0, Instructions: 28COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.388921921.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_53e0000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8e27fbad23f0f92c3dd6a1df99a304c692d6b8b33733975259f785e4c7c73e91
                                                                                                        • Instruction ID: db349a7e433e9be1478431549a7aad2a35301d7b3a3fd874ed038963488bf6cd
                                                                                                        • Opcode Fuzzy Hash: 8e27fbad23f0f92c3dd6a1df99a304c692d6b8b33733975259f785e4c7c73e91
                                                                                                        • Instruction Fuzzy Hash: A1E092312143159BCB14EF08D082AE57BF6EB016987250C59E41ACF305DBA6D8078BD1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 053EF5C0 Relevance: .0, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.388921921.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_53e0000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 65d57fd6da8cd47e2137db9054b32b2be66e0ddf6f8e5bbac82264f3268ada26
                                                                                                        • Instruction ID: 33923b02e1e93427211cd33370f2c13394e71462e74a0ba5b539a8f9ed70e5a7
                                                                                                        • Opcode Fuzzy Hash: 65d57fd6da8cd47e2137db9054b32b2be66e0ddf6f8e5bbac82264f3268ada26
                                                                                                        • Instruction Fuzzy Hash: 71E09B31300715DFC231DE5CE442E557BE5FF42750B01497DE046CB151CBB098159BD1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 053EE518 Relevance: .0, Instructions: 23COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.388921921.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_53e0000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ab853030bfd338dcd74ff7cc3593eacd1346b197b0353e33abd140e2ea930e8f
                                                                                                        • Instruction ID: 415de43523aa1ea8c9d3ee878922fbf9f782becab31a39a3d8e3458885d81305
                                                                                                        • Opcode Fuzzy Hash: ab853030bfd338dcd74ff7cc3593eacd1346b197b0353e33abd140e2ea930e8f
                                                                                                        • Instruction Fuzzy Hash: 7BE026713083149FC30A1B08A431BC67BE6AF8B340F0940AFE849CB392CA618C0183A2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 053EEDFA Relevance: .0, Instructions: 23COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.388921921.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_53e0000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9a0c0cd656383cfb43699081400abee96e70b59163432752fe493c6b33a6867f
                                                                                                        • Instruction ID: 26cf84ab7081de91ab171d3f969253b01bf9aa6042ede49665a2183f33c6df35
                                                                                                        • Opcode Fuzzy Hash: 9a0c0cd656383cfb43699081400abee96e70b59163432752fe493c6b33a6867f
                                                                                                        • Instruction Fuzzy Hash: CCE01230604315ABCB18DF28F4429A57BE5FB453587200DBDE045CF615D762E943C7D1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 053EE528 Relevance: .0, Instructions: 18COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.388921921.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_53e0000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f02dc0c454bc39768fc0468b1c072899ddcfdc45dc3110ba84411d2d68ae9c6b
                                                                                                        • Instruction ID: e4109de4101d27caa72261382e0208f334ab24a1a356fac9e044612d5257f35c
                                                                                                        • Opcode Fuzzy Hash: f02dc0c454bc39768fc0468b1c072899ddcfdc45dc3110ba84411d2d68ae9c6b
                                                                                                        • Instruction Fuzzy Hash: 4ED05E313042245BC7096748A4207DA76DA9B89750F04806EE50D8B390C9A19C0183E5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Non-executed Functions

                                                                                                        Function 00D1C2B0 Relevance: .5, Instructions: 522COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6e698959cfe41a995e25c88577063c3f1d76ec924a66d47c591eb5d09eeb1934
                                                                                                        • Instruction ID: b82c7490c04fcb68caa8af045b7c5b428b3df8277e4c2f3a65fb6d9ed6b8fa44
                                                                                                        • Opcode Fuzzy Hash: 6e698959cfe41a995e25c88577063c3f1d76ec924a66d47c591eb5d09eeb1934
                                                                                                        • Instruction Fuzzy Hash: 615237B1512B27EFD710CF1AF8B82997BA1FB41324B904208D1629B790D7BC798ACF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00D19968 Relevance: .3, Instructions: 265COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.361840880.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_d10000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 112b8bbcf53a0891760749d8ccfedf285c2a3d26f147a51896441e69d8e4fdf9
                                                                                                        • Instruction ID: cd5831088ca76b12751f173c6a3510d68153e81d5e1eef21e4412f306366bf91
                                                                                                        • Opcode Fuzzy Hash: 112b8bbcf53a0891760749d8ccfedf285c2a3d26f147a51896441e69d8e4fdf9
                                                                                                        • Instruction Fuzzy Hash: 73A19E32E0021A9FCF05DFA5D8445DDBBB2FF85310B15816AE805BB221EF35E996CB60
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:15.2%
                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:273
                                                                                                        Total number of Limit Nodes:19
                                                                                                        execution_graph 20618 2a36e20 DuplicateHandle 20619 2a36eb6 20618->20619 20638 2a363f0 20639 2a36400 20638->20639 20643 2a36460 20639->20643 20647 2a36527 20639->20647 20640 2a36411 20644 2a3649a 20643->20644 20645 2a36591 20644->20645 20651 2a36ae0 20644->20651 20645->20640 20648 2a3652c 20647->20648 20649 2a36591 20648->20649 20650 2a36ae0 7 API calls 20648->20650 20649->20640 20650->20649 20652 2a36aed 20651->20652 20653 2a36b27 20652->20653 20655 2a3693c 20652->20655 20653->20645 20656 2a36947 20655->20656 20658 2a37418 20656->20658 20659 2a36a34 20656->20659 20658->20658 20660 2a36a3f 20659->20660 20671 2a39a91 20660->20671 20679 2a39aa0 20660->20679 20661 2a37495 20662 2a36a64 LoadLibraryExW CreateWindowExW GetModuleHandleW CreateWindowExW 20661->20662 20663 2a374af 20662->20663 20664 2a36a74 LoadLibraryExW CreateWindowExW GetModuleHandleW CreateWindowExW 20663->20664 20665 2a374b6 20664->20665 20667 2a3b890 LoadLibraryExW CreateWindowExW GetModuleHandleW CreateWindowExW 20665->20667 20668 2a3b878 LoadLibraryExW CreateWindowExW GetModuleHandleW CreateWindowExW 20665->20668 20666 2a374c0 20666->20658 20667->20666 20668->20666 20672 2a39a27 20671->20672 20672->20671 20675 2a39af7 20672->20675 20678 2a39c0b 20672->20678 20687 2a38888 GetFocus 20672->20687 20674 2a39b9f 20674->20678 20688 2a36a74 20674->20688 20675->20674 20677 2a39b9a KiUserCallbackDispatcher 20675->20677 20675->20678 20677->20674 20680 2a39ace 20679->20680 20682 2a39af7 20680->20682 20686 2a39c0b 20680->20686 20762 2a38888 GetFocus 20680->20762 20683 2a39b9f 20682->20683 20685 2a39b9a KiUserCallbackDispatcher 20682->20685 20682->20686 20684 2a36a74 4 API calls 20683->20684 20683->20686 20684->20686 20685->20683 20687->20675 20689 2a36a7f 20688->20689 20692 2a3afe4 20689->20692 20691 2a3b6bf 20691->20678 20694 2a3afef 20692->20694 20693 2a3b831 20693->20691 20694->20693 20695 2a3b792 20694->20695 20701 2a3b890 20694->20701 20710 8a6ca18 20694->20710 20714 8a6ca08 20694->20714 20719 2a3b878 20694->20719 20695->20693 20696 2a3afe4 4 API calls 20695->20696 20696->20695 20703 2a3b8c1 20701->20703 20704 2a3b9b3 20701->20704 20702 2a3b8cd 20702->20695 20703->20702 20728 2a3bbc8 20703->20728 20731 2a3bbd8 20703->20731 20704->20695 20705 2a3b90e 20734 2a3cee8 20705->20734 20739 2a3ced8 20705->20739 20712 2a3b890 4 API calls 20710->20712 20713 2a3b878 4 API calls 20710->20713 20711 8a6ca45 20712->20711 20713->20711 20715 8a6ca15 20714->20715 20717 2a3b890 4 API calls 20715->20717 20718 2a3b878 4 API calls 20715->20718 20716 8a6ca45 20717->20716 20718->20716 20721 2a3b8c1 20719->20721 20722 2a3b9b3 20719->20722 20720 2a3b8cd 20720->20695 20721->20720 20726 2a3bbc8 2 API calls 20721->20726 20727 2a3bbd8 2 API calls 20721->20727 20722->20695 20723 2a3b90e 20724 2a3cee8 2 API calls 20723->20724 20725 2a3ced8 2 API calls 20723->20725 20724->20722 20725->20722 20726->20723 20727->20723 20744 2a3bc18 20728->20744 20729 2a3bbe2 20729->20705 20732 2a3bbe2 20731->20732 20733 2a3bc18 2 API calls 20731->20733 20732->20705 20733->20732 20735 2a3cf12 20734->20735 20736 2a3cfb9 20735->20736 20752 2a3dc79 20735->20752 20759 2a3dc88 20735->20759 20740 2a3cee8 20739->20740 20741 2a3cfb9 20740->20741 20742 2a3dc79 2 API calls 20740->20742 20743 2a3dc88 CreateWindowExW 20740->20743 20742->20741 20743->20741 20745 2a3bc3b 20744->20745 20746 2a3bc53 20745->20746 20750 2a3bea2 LoadLibraryExW 20745->20750 20751 2a3beb0 LoadLibraryExW 20745->20751 20746->20729 20747 2a3be50 GetModuleHandleW 20749 2a3be7d 20747->20749 20748 2a3bc4b 20748->20746 20748->20747 20749->20729 20750->20748 20751->20748 20753 2a3dc8e 20752->20753 20756 2a3dcc6 CreateWindowExW 20752->20756 20754 2a3dcbd 20753->20754 20755 2a3b24c CreateWindowExW 20753->20755 20754->20736 20755->20754 20758 2a3ddfc 20756->20758 20760 2a3b24c CreateWindowExW 20759->20760 20761 2a3dcbd 20760->20761 20761->20736 20762->20682 20799 e9d01c 20800 e9d034 20799->20800 20801 e9d08e 20800->20801 20807 2a3b1f2 20800->20807 20815 2a3de7f 20800->20815 20821 2a3b264 20800->20821 20825 2a3dfb0 20800->20825 20828 2a3de90 20800->20828 20808 2a3b1ff 20807->20808 20809 2a3b25b 20808->20809 20812 2a3dfe0 20808->20812 20834 2a3b29c 20809->20834 20811 2a3dfc7 20811->20801 20813 2a3e219 20812->20813 20814 2a3def0 SetWindowLongW 20812->20814 20814->20813 20816 2a3deb6 20815->20816 20819 2a3dee1 SetWindowLongW 20815->20819 20820 2a3def0 SetWindowLongW 20815->20820 20817 2a3b264 SetWindowLongW 20816->20817 20818 2a3dec2 20817->20818 20818->20801 20819->20816 20820->20816 20822 2a3b26f 20821->20822 20823 2a3b29c SetWindowLongW 20822->20823 20824 2a3dfc7 20823->20824 20824->20801 20826 2a3dfc7 20825->20826 20827 2a3b29c SetWindowLongW 20825->20827 20826->20801 20827->20826 20832 2a3dee1 SetWindowLongW 20828->20832 20833 2a3def0 SetWindowLongW 20828->20833 20829 2a3deb6 20830 2a3b264 SetWindowLongW 20829->20830 20831 2a3dec2 20830->20831 20831->20801 20832->20829 20833->20829 20836 2a3b2a7 20834->20836 20835 2a3e219 20836->20835 20837 2a3def0 SetWindowLongW 20836->20837 20837->20835 20620 8a6bc60 20621 8a6bc70 20620->20621 20625 2a3def0 20621->20625 20628 2a3dee1 20621->20628 20622 8a6bc82 20626 2a3df08 20625->20626 20631 2a3b284 20625->20631 20626->20622 20629 2a3b284 SetWindowLongW 20628->20629 20630 2a3df08 20629->20630 20630->20622 20632 2a3df20 SetWindowLongW 20631->20632 20633 2a3df8c 20632->20633 20633->20626 20763 8a67b80 20764 8a67ba8 20763->20764 20767 8a642f4 20764->20767 20766 8a67bbd 20766->20766 20768 8a642ff 20767->20768 20771 8a682ee 20768->20771 20772 8a68444 20768->20772 20773 8a67fa4 20768->20773 20769 8a67fa4 8 API calls 20769->20772 20771->20769 20771->20772 20772->20766 20774 8a67faf 20773->20774 20775 8a6867b 20774->20775 20777 8a68690 20774->20777 20775->20771 20778 8a686b6 20777->20778 20779 8a687b5 20778->20779 20781 8a686ca 20778->20781 20782 2a39a91 6 API calls 20778->20782 20783 2a39aa0 6 API calls 20778->20783 20779->20781 20784 8a680d4 20779->20784 20781->20775 20782->20779 20783->20779 20785 8a6d2d0 SendMessageW 20784->20785 20786 8a6d33c 20785->20786 20786->20781 20838 8a68a10 20840 8a68a49 20838->20840 20839 8a68ae7 20850 8a68b5d 20839->20850 20857 8a62b12 20839->20857 20866 8a62a51 20839->20866 20872 8a62972 20839->20872 20883 8a62978 20839->20883 20840->20839 20853 2a3b890 4 API calls 20840->20853 20854 2a3b878 4 API calls 20840->20854 20841 8a68c6e 20842 8a68ccf 20841->20842 20903 2a399b0 20841->20903 20907 2a3ad30 20841->20907 20912 8a62490 20842->20912 20844 8a68b65 20844->20841 20898 8a62584 20844->20898 20894 8a624b8 20850->20894 20853->20839 20854->20839 20858 8a62a9a 20857->20858 20861 8a62b1a 20857->20861 20916 8a6d298 20858->20916 20860 8a62ab7 20860->20850 20861->20860 20920 8a62c98 20861->20920 20862 8a62b74 20862->20850 20863 8a6d298 SendMessageW 20863->20860 20867 8a62a56 20866->20867 20868 8a62a6c 20867->20868 20870 8a62584 SendMessageW 20867->20870 20869 8a62584 SendMessageW 20868->20869 20871 8a62a86 20869->20871 20870->20868 20871->20850 20873 8a62979 20872->20873 20874 8a62a96 20873->20874 20879 8a62a86 20873->20879 20880 8a62a06 20873->20880 20881 8a6d298 SendMessageW 20874->20881 20875 8a62a6c 20876 8a62584 SendMessageW 20875->20876 20876->20879 20877 8a62aa7 20877->20879 20882 8a6d298 SendMessageW 20877->20882 20878 8a62584 SendMessageW 20878->20875 20879->20850 20880->20875 20880->20878 20881->20877 20882->20879 20884 8a629a1 20883->20884 20885 8a62a96 20884->20885 20890 8a62a86 20884->20890 20891 8a62a06 20884->20891 20893 8a6d298 SendMessageW 20885->20893 20886 8a62a6c 20887 8a62584 SendMessageW 20886->20887 20887->20890 20888 8a62aa7 20888->20890 20892 8a6d298 SendMessageW 20888->20892 20889 8a62584 SendMessageW 20889->20886 20890->20850 20891->20886 20891->20889 20892->20890 20893->20888 20895 8a624c9 20894->20895 20896 8a624d4 KiUserCallbackDispatcher 20895->20896 20897 8a624e8 20895->20897 20896->20897 20897->20844 20900 8a6258f 20898->20900 20899 8a6ae3e 20899->20841 20900->20899 20934 8a69020 20900->20934 20904 2a399bb 20903->20904 20905 2a36a74 4 API calls 20904->20905 20906 2a3add5 20904->20906 20905->20906 20906->20842 20908 2a3acd6 20907->20908 20909 2a3ad3a 20907->20909 20908->20842 20910 2a36a74 4 API calls 20909->20910 20911 2a3add5 20909->20911 20910->20911 20911->20842 20913 8a6249d 20912->20913 20915 8a624b8 KiUserCallbackDispatcher 20913->20915 20914 8a624a4 20915->20914 20917 8a6d2a8 20916->20917 20918 8a680d4 SendMessageW 20917->20918 20919 8a62aa7 20918->20919 20919->20860 20919->20863 20921 8a62ca9 20920->20921 20922 8a62cfe 20921->20922 20926 8a699e0 20921->20926 20930 8a699e8 20921->20930 20922->20862 20923 8a62cf9 20923->20862 20927 8a69a51 SetWindowTextW 20926->20927 20928 8a699e6 20926->20928 20929 8a69a61 20927->20929 20928->20927 20929->20923 20931 8a699ef SetWindowTextW 20930->20931 20933 8a69a61 20931->20933 20933->20923 20935 8a6aec0 SendMessageW 20934->20935 20936 8a6aea9 20935->20936 20936->20841 20937 2a3a758 20938 2a3a775 20937->20938 20939 2a36a74 4 API calls 20938->20939 20940 2a3a7b9 20938->20940 20939->20940 20634 8a6cd28 20635 8a6cd52 20634->20635 20636 8a6cd74 20635->20636 20637 8a6ce37 KiUserCallbackDispatcher 20635->20637 20637->20636 20787 8a6c8c8 20788 8a6c8ef 20787->20788 20789 8a6c950 20788->20789 20790 2a36a74 4 API calls 20788->20790 20792 2a3b688 20788->20792 20790->20789 20793 2a3afe4 4 API calls 20792->20793 20794 2a3b6bf 20792->20794 20793->20794 20794->20789 20795 8a6e9c8 20797 8a6e9f8 20795->20797 20796 8a6ed0f 20797->20796 20798 8a6f13c KiUserExceptionDispatcher 20797->20798 20798->20796 20941 8a6bc98 20942 8a6bca8 20941->20942 20944 2a3dee1 SetWindowLongW 20942->20944 20945 2a3def0 SetWindowLongW 20942->20945 20943 8a6bcba 20944->20943 20945->20943

                                                                                                        Executed Functions

                                                                                                        Function 02A3BC18 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 203COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 100 2a3bc18-2a3bc3d call 2a3b0bc 103 2a3bc53-2a3bc57 100->103 104 2a3bc3f 100->104 105 2a3bc6b-2a3bcac 103->105 106 2a3bc59-2a3bc63 103->106 154 2a3bc45 call 2a3bea2 104->154 155 2a3bc45 call 2a3beb0 104->155 111 2a3bcb9-2a3bcc7 105->111 112 2a3bcae-2a3bcb6 105->112 106->105 107 2a3bc4b-2a3bc4d 107->103 108 2a3bd88-2a3be48 107->108 149 2a3be50-2a3be7b GetModuleHandleW 108->149 150 2a3be4a-2a3be4d 108->150 114 2a3bceb-2a3bced 111->114 115 2a3bcc9-2a3bcce 111->115 112->111 118 2a3bcf0-2a3bcf7 114->118 116 2a3bcd0-2a3bcd7 call 2a3b0c8 115->116 117 2a3bcd9 115->117 120 2a3bcdb-2a3bce9 116->120 117->120 121 2a3bd04-2a3bd0b 118->121 122 2a3bcf9-2a3bd01 118->122 120->118 125 2a3bd18-2a3bd21 call 2a3b0d8 121->125 126 2a3bd0d-2a3bd15 121->126 122->121 131 2a3bd23-2a3bd2b 125->131 132 2a3bd2e-2a3bd33 125->132 126->125 131->132 133 2a3bd51-2a3bd5e 132->133 134 2a3bd35-2a3bd3c 132->134 141 2a3bd81-2a3bd87 133->141 142 2a3bd60-2a3bd7e 133->142 134->133 135 2a3bd3e-2a3bd4e call 2a39960 call 2a3b0e8 134->135 135->133 142->141 151 2a3be84-2a3be98 149->151 152 2a3be7d-2a3be83 149->152 150->149 152->151 154->107 155->107
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 02A3BE6E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.600870036.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_2a30000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID: Do$Do
                                                                                                        • API String ID: 4139908857-2688128010
                                                                                                        • Opcode ID: af9ed7e2652309407290a99424826232890f4d2e396fb1a2dbec9e71eb125bd5
                                                                                                        • Instruction ID: b89026b714c2baa917b37c9c0420cae3c317f5fd2e0af3976d097230d4daf502
                                                                                                        • Opcode Fuzzy Hash: af9ed7e2652309407290a99424826232890f4d2e396fb1a2dbec9e71eb125bd5
                                                                                                        • Instruction Fuzzy Hash: 40814870A00B058FD725DF29D59575ABBF2BF88304F10892EE44ADBA50DB75E806CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 08A6E9C8 Relevance: 2.2, APIs: 1, Instructions: 698COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 423 8a6e9c8-8a6e9f6 424 8a6e9fd-8a6ea60 call 8a6f5a0 423->424 425 8a6e9f8 423->425 430 8a6ea62-8a6ea66 424->430 431 8a6ea6f-8a6ea73 424->431 425->424 434 8a6ea6d 430->434 435 8a6ea68 430->435 432 8a6ea75 431->432 433 8a6ea7a-8a6ead1 431->433 432->433 439 8a6ead3 433->439 440 8a6ead8-8a6eb15 433->440 434->433 435->434 439->440 443 8a6eb17 440->443 444 8a6eb1c-8a6ebfd call 8a6f5a0 440->444 443->444 453 8a6ec04-8a6ec8b call 8a6f5a0 444->453 454 8a6ebff 444->454 460 8a6ec92-8a6ed0d 453->460 461 8a6ec8d 453->461 454->453 467 8a6ed0f-8a6ed18 460->467 468 8a6ed1d-8a6edc2 call 8a6e51c call 8a6e52c call 8a6e53c call 8a6e54c 460->468 461->460 472 8a6f55c-8a6f564 467->472 484 8a6edc4-8a6edc5 468->484 485 8a6edca-8a6edf7 468->485 486 8a6eed4-8a6f496 call 8a6e55c KiUserExceptionDispatcher call 8a6f5a0 484->486 492 8a6edff-8a6eed3 485->492 594 8a6f49d-8a6f556 call 8a6e56c call 8a6e57c * 4 486->594 595 8a6f498 486->595 492->486 611 8a6f55b 594->611 595->594 611->472
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.648399011.0000000008A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A60000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_8a60000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: febf52754c4519302d038322322985c01899f33a652eec90dbb9c8e4a8841b7e
                                                                                                        • Instruction ID: b733b50e33baf770569a8d6f91d94085dca5b4726080cdece3a5420ec1e98daf
                                                                                                        • Opcode Fuzzy Hash: febf52754c4519302d038322322985c01899f33a652eec90dbb9c8e4a8841b7e
                                                                                                        • Instruction Fuzzy Hash: 7B62F274901218CFDB64EF24D998BADBBB2FB4A312F1095A9E41EA7390CB355D91CF10
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02A3DC79 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 616 2a3dc79-2a3dc8c 617 2a3dcc6-2a3dd3e 616->617 618 2a3dc8e-2a3dcb5 616->618 622 2a3dd40-2a3dd46 617->622 623 2a3dd49-2a3dd50 617->623 619 2a3dcbd-2a3dcbe 618->619 620 2a3dcb8 call 2a3b24c 618->620 620->619 622->623 624 2a3dd52-2a3dd58 623->624 625 2a3dd5b-2a3ddfa CreateWindowExW 623->625 624->625 627 2a3de03-2a3de3b 625->627 628 2a3ddfc-2a3de02 625->628 632 2a3de48 627->632 633 2a3de3d-2a3de40 627->633 628->627 634 2a3de49 632->634 633->632 634->634
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A3DDEA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.600870036.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_2a30000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 716092398-0
                                                                                                        • Opcode ID: 71a5da5f5887ae204cdc284b160025bf6d98791782ff31ce16ff1f6478ded8c9
                                                                                                        • Instruction ID: 6856be0058fc4a7b35cee08bd55d0d91064795d4441e97c604b621281b2006e8
                                                                                                        • Opcode Fuzzy Hash: 71a5da5f5887ae204cdc284b160025bf6d98791782ff31ce16ff1f6478ded8c9
                                                                                                        • Instruction Fuzzy Hash: FE51FFB1C00249EFDF16CF99C984ADEBFB2BF49310F24816AE818AB220D7759845CF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 08A6CD28 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 635 8a6cd28-8a6cd54 637 8a6cd56-8a6cd61 635->637 638 8a6cd74-8a6cd7b 635->638 637->638 640 8a6cd63-8a6cd72 637->640 640->638 642 8a6cd7c-8a6cda2 640->642 645 8a6cde7-8a6cde8 642->645 646 8a6cda4-8a6cdc5 645->646 647 8a6cdea-8a6ce13 call 8a6be24 645->647 646->645 657 8a6cdc7-8a6cdd6 646->657 655 8a6ce15-8a6ce60 KiUserCallbackDispatcher 647->655 656 8a6ce6f-8a6ce76 647->656 662 8a6ce62-8a6ce6c 655->662 657->645 660 8a6cdd8-8a6cde5 657->660 660->647 662->656
                                                                                                        APIs
                                                                                                        • KiUserCallbackDispatcher.NTDLL(00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 08A6CE48
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.648399011.0000000008A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A60000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_8a60000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CallbackDispatcherUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 2492992576-0
                                                                                                        • Opcode ID: 7e8c08e37fa6f728d94495be90a8075b14684aecaa2d83ca55265df96ec06a21
                                                                                                        • Instruction ID: e9912e8ac9ad5b2e8f3afc7e1708ed70f6dae1e8ffb04d534ce491d3d68e8f50
                                                                                                        • Opcode Fuzzy Hash: 7e8c08e37fa6f728d94495be90a8075b14684aecaa2d83ca55265df96ec06a21
                                                                                                        • Instruction Fuzzy Hash: F1416631B40114DFCB54DFA9C884AAEBBF5EF88321F1400A9E506EB761DA31ED41CBA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02A3B24C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 664 2a3b24c-2a3dd3e 666 2a3dd40-2a3dd46 664->666 667 2a3dd49-2a3dd50 664->667 666->667 668 2a3dd52-2a3dd58 667->668 669 2a3dd5b-2a3ddfa CreateWindowExW 667->669 668->669 671 2a3de03-2a3de3b 669->671 672 2a3ddfc-2a3de02 669->672 676 2a3de48 671->676 677 2a3de3d-2a3de40 671->677 672->671 678 2a3de49 676->678 677->676 678->678
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A3DDEA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.600870036.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_2a30000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 716092398-0
                                                                                                        • Opcode ID: 69d06b2d12f43191c0e0b6beb60cd7491d7717e334fd59f50beb2cac3ae4dfbb
                                                                                                        • Instruction ID: 182ea753bfa9469b16e1d763d3fd24bd016a57c72a9d051e6516bf8b2605663a
                                                                                                        • Opcode Fuzzy Hash: 69d06b2d12f43191c0e0b6beb60cd7491d7717e334fd59f50beb2cac3ae4dfbb
                                                                                                        • Instruction Fuzzy Hash: F251BFB1D01709DFDB15CF9AC984ADEBFB5BF48310F24812AE819AB210D774A945CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 08A699E0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 679 8a699e0-8a699e4 680 8a699e6 679->680 681 8a69a51-8a69a5f SetWindowTextW 679->681 682 8a699ef-8a69a28 680->682 683 8a699e8-8a699ee 680->683 684 8a69a61-8a69a67 681->684 685 8a69a68-8a69a89 681->685 686 8a69a30-8a69a4e 682->686 687 8a69a2a-8a69a2d 682->687 683->682 684->685 686->681 687->686
                                                                                                        APIs
                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 08A69A52
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.648399011.0000000008A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A60000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_8a60000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: TextWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 530164218-0
                                                                                                        • Opcode ID: 64b868ac6ae94d6bd501820e97026695fab15e0e8da36a57c6159f799b95bb0f
                                                                                                        • Instruction ID: 422fe2ea9eb562bc10440b41b9ff314258335c61f93678ef145067deb3390e1c
                                                                                                        • Opcode Fuzzy Hash: 64b868ac6ae94d6bd501820e97026695fab15e0e8da36a57c6159f799b95bb0f
                                                                                                        • Instruction Fuzzy Hash: E62137B2D007499FDB10CF9AC444BDFBBF8EF58225F14846AD864A7650C338A546CFA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02A36E18 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 689 2a36e18-2a36eb4 DuplicateHandle 690 2a36eb6-2a36ebc 689->690 691 2a36ebd-2a36eda 689->691 690->691
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A36EA7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.600870036.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_2a30000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 2e90b6942651a93e0a88dcb72881278567f9383921deec1b37412e30bab4d093
                                                                                                        • Instruction ID: d865104cdb02305284809f8157e7e8719787531bbcdaf0e53ed7d4538a670a60
                                                                                                        • Opcode Fuzzy Hash: 2e90b6942651a93e0a88dcb72881278567f9383921deec1b37412e30bab4d093
                                                                                                        • Instruction Fuzzy Hash: 9021E3B5D01249AFDF10CFAAD584ADEBFF4EB48310F24841AE854A7310C378A944CF60
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02A36E20 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 694 2a36e20-2a36eb4 DuplicateHandle 695 2a36eb6-2a36ebc 694->695 696 2a36ebd-2a36eda 694->696 695->696
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A36EA7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.600870036.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_2a30000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: d252203811d9a414156ef06254b08506124a361139b3114d932d83603dca62c9
                                                                                                        • Instruction ID: 94d558ba7eec747523c9b67082534f36d1a9022a1c1761b52d71415c1cb10c12
                                                                                                        • Opcode Fuzzy Hash: d252203811d9a414156ef06254b08506124a361139b3114d932d83603dca62c9
                                                                                                        • Instruction Fuzzy Hash: 6E21C2B5D01249AFDB10CFAAD984ADEBBF8FB48720F14841AE914A7310D374A944CFA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02A3C088 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 699 2a3c088-2a3c08c 700 2a3c085-2a3c087 699->700 701 2a3c08e-2a3c0d0 699->701 700->699 702 2a3c0d2-2a3c0d5 701->702 703 2a3c0d8-2a3c0e3 701->703 702->703 704 2a3c0e4-2a3c107 LoadLibraryExW 703->704 705 2a3c110-2a3c12d 704->705 706 2a3c109-2a3c10f 704->706 706->705
                                                                                                        APIs
                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02A3BEE9,00000800,00000000,00000000), ref: 02A3C0FA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.600870036.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_2a30000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad
                                                                                                        • String ID:
                                                                                                        • API String ID: 1029625771-0
                                                                                                        • Opcode ID: f696c242c01eba72e887a4123688bbdcefe35a601c99011a79ea3b46bf9decf6
                                                                                                        • Instruction ID: 884a98b8a016d734871ebb9d91afb87ec546c0a96df207fd1b828d6b040e0a6d
                                                                                                        • Opcode Fuzzy Hash: f696c242c01eba72e887a4123688bbdcefe35a601c99011a79ea3b46bf9decf6
                                                                                                        • Instruction Fuzzy Hash: CC2124B6D003488FCB11CF9AC984ADEBBF5AB48324F14845AE415B7210C775A545CFA4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02A3B110 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 709 2a3b110-2a3c0d0 711 2a3c0d2-2a3c0d5 709->711 712 2a3c0d8-2a3c107 LoadLibraryExW 709->712 711->712 714 2a3c110-2a3c12d 712->714 715 2a3c109-2a3c10f 712->715 715->714
                                                                                                        APIs
                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02A3BEE9,00000800,00000000,00000000), ref: 02A3C0FA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.600870036.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_2a30000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad
                                                                                                        • String ID:
                                                                                                        • API String ID: 1029625771-0
                                                                                                        • Opcode ID: 99a75b5cda44bceb0eb8804518236b400f2a4dbfb9d5d1261c94fa8fb2a404c5
                                                                                                        • Instruction ID: 7f21be38824919e850f0a75d15dffff90f7f6b8ee7b8ce9a707c70fbb0a193b9
                                                                                                        • Opcode Fuzzy Hash: 99a75b5cda44bceb0eb8804518236b400f2a4dbfb9d5d1261c94fa8fb2a404c5
                                                                                                        • Instruction Fuzzy Hash: 4F1106B2D003498FCB20CF9AC944B9EFBF5AB48324F14842EE415B7610C775A545CFA4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 08A699E8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 718 8a699e8-8a69a28 720 8a69a30-8a69a5f SetWindowTextW 718->720 721 8a69a2a-8a69a2d 718->721 723 8a69a61-8a69a67 720->723 724 8a69a68-8a69a89 720->724 721->720 723->724
                                                                                                        APIs
                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 08A69A52
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.648399011.0000000008A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A60000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_8a60000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: TextWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 530164218-0
                                                                                                        • Opcode ID: 81d6eb85c26a91c327ba4c51f1ac982c7638fb7dd4d799a639e4594dff566139
                                                                                                        • Instruction ID: 56a909273b7c03c6acbb65e2fbdb3cd97089409a81d3171176389fbb4e295c8f
                                                                                                        • Opcode Fuzzy Hash: 81d6eb85c26a91c327ba4c51f1ac982c7638fb7dd4d799a639e4594dff566139
                                                                                                        • Instruction Fuzzy Hash: E211E4B2D002498FDB14CF9AC544BDFFBF8EB58320F14842AD869A7640D378A546CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 08A6AEBA Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 08A6AF1D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.648399011.0000000008A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A60000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_8a60000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3850602802-0
                                                                                                        • Opcode ID: 7c2a1390076d51d18c44dc8a3a2b2ce6c874b9b5ebb96bc8a992a09dc19088fc
                                                                                                        • Instruction ID: d9055bcfdc42c2bb578bf98727631425aadff00be25d450dfc76e0e46edf7b47
                                                                                                        • Opcode Fuzzy Hash: 7c2a1390076d51d18c44dc8a3a2b2ce6c874b9b5ebb96bc8a992a09dc19088fc
                                                                                                        • Instruction Fuzzy Hash: F311E3B58003499FDB20DF9AD984BDFFBF8EB48320F14841AE455A7600C374A594CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02A3B284 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 02A3DF7D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.600870036.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_2a30000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LongWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 1378638983-0
                                                                                                        • Opcode ID: e5f7f578ab6b44ad138d21b34048274fecf537328a9fc135ae657a65f0f83c4b
                                                                                                        • Instruction ID: ddb8f9a3be89a9f305d19bab527fbd86bd288f313c0d39f730891b0396aabce4
                                                                                                        • Opcode Fuzzy Hash: e5f7f578ab6b44ad138d21b34048274fecf537328a9fc135ae657a65f0f83c4b
                                                                                                        • Instruction Fuzzy Hash: 9411F2B5900709DFDB20DF9AD588BDFBBF8EB48320F10845AE919A7600C374A944CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02A3BE08 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 02A3BE6E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.600870036.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_2a30000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID:
                                                                                                        • API String ID: 4139908857-0
                                                                                                        • Opcode ID: a4646ab4cd98ce205e173fa4ba6a8a9d441a8162af82dc42a8bfe6c83ce265c1
                                                                                                        • Instruction ID: e658cd6883175581c89544ab788b5c124999bf52685545bb85c84a460315f49e
                                                                                                        • Opcode Fuzzy Hash: a4646ab4cd98ce205e173fa4ba6a8a9d441a8162af82dc42a8bfe6c83ce265c1
                                                                                                        • Instruction Fuzzy Hash: 561102B2C002498FCB20CF9AC544ADFFBF5AB88324F14841AD429A7610C374A545CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 08A680D4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,00000018,00000001,?), ref: 08A6D32D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.648399011.0000000008A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A60000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_8a60000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3850602802-0
                                                                                                        • Opcode ID: 2dbf2d2a61f46fe1fa1a391bf2bb98a929a09fa6f58c534b2ed5beb5d6c684ec
                                                                                                        • Instruction ID: 07d02e5c638b2e185fe2d215caa3503e6530445a5f57fb26c45c7e8ab216b109
                                                                                                        • Opcode Fuzzy Hash: 2dbf2d2a61f46fe1fa1a391bf2bb98a929a09fa6f58c534b2ed5beb5d6c684ec
                                                                                                        • Instruction Fuzzy Hash: 961103B59003499FDB20DF9AD588BDFBBF8FB48320F10845AE954A7600C379A954CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 08A69020 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 08A6AF1D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.648399011.0000000008A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A60000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_8a60000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3850602802-0
                                                                                                        • Opcode ID: 7dd3801354ea8caa8268590f3a91a4f482507e808d8f7f37059915acd843ec7e
                                                                                                        • Instruction ID: f8be8c19fe9fcb77573f432fcc2db3fe48e42338a5176c7239faac9ccffd742f
                                                                                                        • Opcode Fuzzy Hash: 7dd3801354ea8caa8268590f3a91a4f482507e808d8f7f37059915acd843ec7e
                                                                                                        • Instruction Fuzzy Hash: AE11F2B58003599FCB20DF9AD588BDFBBF8EB48320F14841AE915B7600D3B4A954CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02A3C130 Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02A3BEE9,00000800,00000000,00000000), ref: 02A3C0FA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.600870036.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_2a30000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad
                                                                                                        • String ID:
                                                                                                        • API String ID: 1029625771-0
                                                                                                        • Opcode ID: d212d2191709da652084602b2384ef6e9bde4f81a16955ba670bdd9bd7ed5df5
                                                                                                        • Instruction ID: 6f83f1b8e391160c504c688a8618f5abc059f4e65b95f2e5ec6136b8ef21f87e
                                                                                                        • Opcode Fuzzy Hash: d212d2191709da652084602b2384ef6e9bde4f81a16955ba670bdd9bd7ed5df5
                                                                                                        • Instruction Fuzzy Hash: 5401A272D043848EDB218BEE98453CABFF0AF56334F14845BD158F7641C77A5449CB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02A3DF19 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 02A3DF7D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.600870036.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_2a30000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LongWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 1378638983-0
                                                                                                        • Opcode ID: 8845b3094e53a9e2a6531c01a85b5e9888721697276e81d0e4324098e5033fe9
                                                                                                        • Instruction ID: 4f2ddd083fea025da40976f06f979c95891a08dd2b1b474c2436b198ab6e842e
                                                                                                        • Opcode Fuzzy Hash: 8845b3094e53a9e2a6531c01a85b5e9888721697276e81d0e4324098e5033fe9
                                                                                                        • Instruction Fuzzy Hash: C211C2B5D002498FDB10DF99D684BDEBBF4EB48324F24855AE859A7600C374A944CFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 08A624B8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 08A624DA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.648399011.0000000008A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A60000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_8a60000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CallbackDispatcherUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 2492992576-0
                                                                                                        • Opcode ID: cbc814990c70889ac61fa685b20104c144ee57a01f6d60bd9f09d54c3cdd0073
                                                                                                        • Instruction ID: ba3d7128530f5eb012ff1af88f129f784a3d3e658bbe88dfd5010d37e18f642d
                                                                                                        • Opcode Fuzzy Hash: cbc814990c70889ac61fa685b20104c144ee57a01f6d60bd9f09d54c3cdd0073
                                                                                                        • Instruction Fuzzy Hash: 46E01271B102245B9A68EB79D81892B77ED9F85A70300446EF906CB764DE61DC01C7E4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E9D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.597763452.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_e9d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2f1201fb51d45588b8e1ea97a47bfc1f1da5661b4d5da51031f1571ff6193c0d
                                                                                                        • Instruction ID: e29bbd21130f02e14224e2856af7f38a8fdb4f1e0c4d632e5e30e4ae0ba38b76
                                                                                                        • Opcode Fuzzy Hash: 2f1201fb51d45588b8e1ea97a47bfc1f1da5661b4d5da51031f1571ff6193c0d
                                                                                                        • Instruction Fuzzy Hash: 32210475508340EFDF05DF54D9C0B66BBA5FB84318F24CAADE8096B2A6C336D846CA61
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E9D390 Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.597763452.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_e9d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6ad98082ac2ed5ee4d8e69b5c7814f20dca73711385d8d11e13b4e5dc9969d0e
                                                                                                        • Instruction ID: f40c8016e6f0b09ac1b25e216072960619e8ca02546440f9c9dfd7c7a4b163fb
                                                                                                        • Opcode Fuzzy Hash: 6ad98082ac2ed5ee4d8e69b5c7814f20dca73711385d8d11e13b4e5dc9969d0e
                                                                                                        • Instruction Fuzzy Hash: 84213871508340DFDF11DF14DDC0B6AFB65FB84324F24C669D8096B245C37AE846CA62
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E9D01C Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.597763452.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_e9d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3f53e92e2d7ca46a4f351d364d645f048a1d3b2b5e2e9ef7f1a2b5023b607715
                                                                                                        • Instruction ID: 8ddac3f9cd2e16f8b765de76b3c0d02cb027169fd15809f5791c435380d77d23
                                                                                                        • Opcode Fuzzy Hash: 3f53e92e2d7ca46a4f351d364d645f048a1d3b2b5e2e9ef7f1a2b5023b607715
                                                                                                        • Instruction Fuzzy Hash: 7921F275608340DFDF15DF24D9C4B16BBA6FB84318F24CA69D84A6B246C33AD847CA61
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E9D2BC Relevance: .1, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.597763452.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_e9d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 76480823db9f5076eda29990ff1850b79af23f1f11ab1ec7065a7636833b80f2
                                                                                                        • Instruction ID: c12d4ec1f5eb92bc52174b3d8f2f4832753ba5f50658454d7f583c57786bf415
                                                                                                        • Opcode Fuzzy Hash: 76480823db9f5076eda29990ff1850b79af23f1f11ab1ec7065a7636833b80f2
                                                                                                        • Instruction Fuzzy Hash: FB2127B1508344DFDF04DF18DAC0B2ABBA5FB84729F24C66DD8096B245C339D806C6A2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E9D005 Relevance: .1, Instructions: 62COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.597763452.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_e9d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f7b5f99741d2e4a2153befb677a89a5bff6c3f875438345380fa5250d15ed659
                                                                                                        • Instruction ID: 9a966450ed5ef4d2045197ff652803ad812504a70e30c272656cbcb1f1c55fc2
                                                                                                        • Opcode Fuzzy Hash: f7b5f99741d2e4a2153befb677a89a5bff6c3f875438345380fa5250d15ed659
                                                                                                        • Instruction Fuzzy Hash: 55217F755093808FDB02CF24D990715BF72EB46318F28C5EAD8498B697C33A984ACB62
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E9D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.597763452.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_e9d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f45dc8ffff706fb05bcde3a42111e7466e20ebf3dc7f5347bf588368a02ed7e4
                                                                                                        • Instruction ID: 1953441631a3f9c1da1aedb92e3a4bb6e66c06f20ff960683d562c884c708fcf
                                                                                                        • Opcode Fuzzy Hash: f45dc8ffff706fb05bcde3a42111e7466e20ebf3dc7f5347bf588368a02ed7e4
                                                                                                        • Instruction Fuzzy Hash: EB11BE75508280DFCB01CF10C9C0B15FBA1FB84328F24C6ADD8495B6A6C33AD85ACB51
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E9D38B Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.597763452.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_e9d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0bfc54da5199e54ac29bb95c303e1f9d0456aef68e3c8f2039d41b65c1a2cd17
                                                                                                        • Instruction ID: a3d9d1179e2e17908f9a3908099a4cbfa0337b890f5b96d4c129323200c60df3
                                                                                                        • Opcode Fuzzy Hash: 0bfc54da5199e54ac29bb95c303e1f9d0456aef68e3c8f2039d41b65c1a2cd17
                                                                                                        • Instruction Fuzzy Hash: EB118276508280DFDB11CF14D9C4B19FB71FB84324F24C6AAD8495B646C33AE84ACB51
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E9D2B7 Relevance: .1, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.597763452.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_e9d000_DHL #109#.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a32f8b5301d520f97a745f1cf21a85d993a089121ee8739b1b9e92feef739b5b
                                                                                                        • Instruction ID: ed70e765e4f0f8bcd85a7b35da47e925a90aafe96aa19e0477cda5d6151f7607
                                                                                                        • Opcode Fuzzy Hash: a32f8b5301d520f97a745f1cf21a85d993a089121ee8739b1b9e92feef739b5b
                                                                                                        • Instruction Fuzzy Hash: 8F110A76508280DFDB01CF14DAC0719FB71FB84324F24C66DC8495B645C339D84ACB92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%