Windows Analysis Report
DHL Receipt 004673321.pdf.exe

Overview

General Information

Sample name:	DHL Receipt 004673321.pdf.exe
Analysis ID:	1428356
MD5:	902c91012912a8aaee6a3d1e43af13af
SHA1:	9fe644a8d52f153fe568f0390e8568b16a0e57c5
SHA256:	46ff258b05454a780553a2bde8d1847aa2b9c804c6ee432ed5180a4bdbb5a4d7
Tags:	DHLexe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Uses an obfuscated file name to hide its real file extension (double extension)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Detected potential crypto function

Enables debug privileges

One or more processes crash

PE file contains an invalid checksum

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: DHL Receipt 004673321.pdf.exe

ReversingLabs: Detection: 26%

Source: DHL Receipt 004673321.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\System.Core.pdbl source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC932.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbM3b source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FC5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\System.Core.pdb{#S source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Users\user\Desktop\DHL Receipt 004673321.pdf.PDB source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FC5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: pC:\Users\user\Desktop\DHL Receipt 004673321.pdf.PDB ` source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2094773845.00000020D40F4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb}! source: WERC932.tmp.dmp.4.dr
Source:	Binary string: DHL Receipt 004673321.pdf.PDB source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2094773845.00000020D40F4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdbH source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdbU, source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC932.tmp.dmp.4.dr

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: DHL Receipt 004673321.pdf.exe
Source: initial sample	Static PE information: Filename: DHL Receipt 004673321.pdf.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Code function: 0_2_00007FF848F10F38

0_2_00007FF848F10F38

One or more processes crash

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2964 -s 1000

PE file does not import any functions

Source: DHL Receipt 004673321.pdf.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: DHL Receipt 004673321.pdf.exe, 00000000.00000000.1988821665.0000017F6FA60000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUnewawaqakipurifL vs DHL Receipt 004673321.pdf.exe
Source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096168121.0000017F100A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUnewawaqakipurifL vs DHL Receipt 004673321.pdf.exe
Source: DHL Receipt 004673321.pdf.exe	Binary or memory string: OriginalFilenameUnewawaqakipurifL vs DHL Receipt 004673321.pdf.exe

Source: DHL Receipt 004673321.pdf.exe, getKindLongTimePattern.cs

Task registration methods: 'CreateReferenceTrackingHandleTaskWaitContinuationStarted'

Source: DHL Receipt 004673321.pdf.exe, GetMainh-----kHandleEventWrittenEventArgs.cs	Suspicious method names: .GetMainh_FFFD_FFFD_005B_FFFD_001DkHandleEventWrittenEventArgs.getRemainingMillisecondsEventPipePayloadDecoder
Source: DHL Receipt 004673321.pdf.exe, Low64RuntimeTypeCache.cs	Suspicious method names: .Low64RuntimeTypeCache.GetMonthJoin4Payload
Source: DHL Receipt 004673321.pdf.exe, BrfalseHtmlDecode.cs	Suspicious method names: .PayloadGetConsoleFallbackUICulture.ResetAbortSEPHourSuff
Source: DHL Receipt 004673321.pdf.exe, BrfalseHtmlDecode.cs	Suspicious method names: .PayloadGetConsoleFallbackUICulture.VTDATELIBFLAGFCONTROL

Source: classification engine

Classification label: mal68.evad.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2964

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\44ace070-f29e-4278-b446-95c466f4f3ab

Jump to behavior

Source: DHL Receipt 004673321.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DHL Receipt 004673321.pdf.exe

ReversingLabs: Detection: 26%

Source: DHL Receipt 004673321.pdf.exe

String found in binary or memory: /AddInServer

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

File read: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe "C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe"
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2964 -s 1000

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DHL Receipt 004673321.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL Receipt 004673321.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DHL Receipt 004673321.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\System.Core.pdbl source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC932.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbM3b source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FC5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\System.Core.pdb{#S source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Users\user\Desktop\DHL Receipt 004673321.pdf.PDB source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FC5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: pC:\Users\user\Desktop\DHL Receipt 004673321.pdf.PDB ` source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2094773845.00000020D40F4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb}! source: WERC932.tmp.dmp.4.dr
Source:	Binary string: DHL Receipt 004673321.pdf.PDB source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2094773845.00000020D40F4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdbH source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdbU, source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC932.tmp.dmp.4.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: DHL Receipt 004673321.pdf.exe, IsReferenceOrContainsReferencesDebuggerBrowsableAttribute.cs

.Net Code: PrependDoubleView

PE file contains an invalid checksum

Source: DHL Receipt 004673321.pdf.exe

Static PE information: real checksum: 0x12cdabf9 should be: 0x43f9a

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Code function: 0_2_00007FF848F100BD pushad ; iretd

0_2_00007FF848F100C1

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: DHL Receipt 004673321.pdf.exe

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Memory allocated: 17F6FDB0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Memory allocated: 17F71830000 memory reserve \| memory write watch			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Queries volume information: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: DHL Receipt 004673321.pdf.exe

ReversingLabs: Detection: 26%

Source: DHL Receipt 004673321.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\System.Core.pdbl source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC932.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbM3b source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FC5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\System.Core.pdb{#S source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Users\user\Desktop\DHL Receipt 004673321.pdf.PDB source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FC5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: pC:\Users\user\Desktop\DHL Receipt 004673321.pdf.PDB ` source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2094773845.00000020D40F4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb}! source: WERC932.tmp.dmp.4.dr
Source:	Binary string: DHL Receipt 004673321.pdf.PDB source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2094773845.00000020D40F4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdbH source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdbU, source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC932.tmp.dmp.4.dr

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: DHL Receipt 004673321.pdf.exe
Source: initial sample	Static PE information: Filename: DHL Receipt 004673321.pdf.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Code function: 0_2_00007FF848F10F38

0_2_00007FF848F10F38

One or more processes crash

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2964 -s 1000

PE file does not import any functions

Source: DHL Receipt 004673321.pdf.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: DHL Receipt 004673321.pdf.exe, 00000000.00000000.1988821665.0000017F6FA60000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUnewawaqakipurifL vs DHL Receipt 004673321.pdf.exe
Source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096168121.0000017F100A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUnewawaqakipurifL vs DHL Receipt 004673321.pdf.exe
Source: DHL Receipt 004673321.pdf.exe	Binary or memory string: OriginalFilenameUnewawaqakipurifL vs DHL Receipt 004673321.pdf.exe

Source: DHL Receipt 004673321.pdf.exe, getKindLongTimePattern.cs

Task registration methods: 'CreateReferenceTrackingHandleTaskWaitContinuationStarted'

Source: DHL Receipt 004673321.pdf.exe, GetMainh-----kHandleEventWrittenEventArgs.cs	Suspicious method names: .GetMainh_FFFD_FFFD_005B_FFFD_001DkHandleEventWrittenEventArgs.getRemainingMillisecondsEventPipePayloadDecoder
Source: DHL Receipt 004673321.pdf.exe, Low64RuntimeTypeCache.cs	Suspicious method names: .Low64RuntimeTypeCache.GetMonthJoin4Payload
Source: DHL Receipt 004673321.pdf.exe, BrfalseHtmlDecode.cs	Suspicious method names: .PayloadGetConsoleFallbackUICulture.ResetAbortSEPHourSuff
Source: DHL Receipt 004673321.pdf.exe, BrfalseHtmlDecode.cs	Suspicious method names: .PayloadGetConsoleFallbackUICulture.VTDATELIBFLAGFCONTROL

Source: classification engine

Classification label: mal68.evad.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2964

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\44ace070-f29e-4278-b446-95c466f4f3ab

Jump to behavior

Source: DHL Receipt 004673321.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DHL Receipt 004673321.pdf.exe

ReversingLabs: Detection: 26%

Source: DHL Receipt 004673321.pdf.exe

String found in binary or memory: /AddInServer

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

File read: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe "C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe"
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2964 -s 1000

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DHL Receipt 004673321.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL Receipt 004673321.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DHL Receipt 004673321.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\System.Core.pdbl source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC932.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbM3b source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FC5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\System.Core.pdb{#S source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Users\user\Desktop\DHL Receipt 004673321.pdf.PDB source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FC5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: pC:\Users\user\Desktop\DHL Receipt 004673321.pdf.PDB ` source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2094773845.00000020D40F4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb}! source: WERC932.tmp.dmp.4.dr
Source:	Binary string: DHL Receipt 004673321.pdf.PDB source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2094773845.00000020D40F4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERC932.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdbH source: WERC932.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdbU, source: DHL Receipt 004673321.pdf.exe, 00000000.00000002.2096486114.0000017F6FCBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC932.tmp.dmp.4.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: DHL Receipt 004673321.pdf.exe, IsReferenceOrContainsReferencesDebuggerBrowsableAttribute.cs

.Net Code: PrependDoubleView

PE file contains an invalid checksum

Source: DHL Receipt 004673321.pdf.exe

Static PE information: real checksum: 0x12cdabf9 should be: 0x43f9a

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Code function: 0_2_00007FF848F100BD pushad ; iretd

0_2_00007FF848F100C1

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: DHL Receipt 004673321.pdf.exe

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Memory allocated: 17F6FDB0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Memory allocated: 17F71830000 memory reserve \| memory write watch			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Queries volume information: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL Receipt 004673321.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

ID:	1428356
Product:	CloudBasic
Start time:	21:18:46
Start date:	18.04.2024
Sample:	DHL Receipt 004673321.pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	902c91012912a8aaee6a3d1e43af13af
SHA1:	9fe644a8d52f153fe568f0390e8568b16a0e57c5
SHA256:	46ff258b05454a780553a2bde8d1847aa2b9c804c6ee432ed5180a4bdbb5a4d7
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DHL Receipt 0046_911b9e89922c235ef4e82c3c139b3fb9135432f_68ab9102_70a48827-f773-4bb6-b935-f81c6f14a8e7\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F5BBF88231D7407CEC0FF506AF3E5698	3228D63E73A6F92C00C9899FD5D5360065F27238	6D074BB94418EDF17AA31D71464DAE1EE4318CF40394331C839ED154551643BD
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC932.tmp.dmp	Mini DuMP crash report, 16 streams, Thu Apr 18 19:19:32 2024, 0x1205a4 type	8EF67AFB887E9BCB37BDD1FC582CB99F	7FCF55C0F1113CE196E863F8E30AB2C8F11A71B1	1CE3D15248419D385967481237CAA5A1BB37A3B9A3F69A5C59B39E69ED54DC85
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA8B.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	B7A427038DFE9EC5A134E2766A5D7F91	96F5E55018B7B1B8F66D59C311DCBA451E9943D8	AB49B919CB13850F9F9E680421608E29B41D4C421FBAE4616E243A50C1409B4B
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCAAB.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	B825E95B24EA873118A5A6A47B9CFA88	F5C349F6E34E19171DE729ACDED396F5E009BC0C	8B39A5253F950C2D6C730584CA30ACF3CAAA317C323FDC6226CD28FAAFFAFCF1
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	26B77F23005D63424C0A76C6A06669DE	F48205C2CF50EEEC3DA1DA73BEE4F6DA7308EDA0	119FB3E4E20B9E6274DEEBE51D59F7CA901B12C8919C696D8C76BFB08DDEF1AE

Windows Analysis Report
DHL Receipt 004673321.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report DHL Receipt 004673321.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
DHL Receipt 004673321.pdf.exe