Windows Analysis Report DHL_AWB_DOCUMENT_pdf.exe

Overview

General Information

Sample Name: DHL_AWB_DOCUMENT_pdf.exe
Analysis ID: 500851
MD5: 1b20cc08d2181fb763011894d429ad46
SHA1: 7ace5eee56eec0bfd4d365999795e3773513084e
SHA256: de1730eddefee2b8d8193d92b02fc5a3fd1bf6d54c6f55eff53c85c8a2501a79
Tags: DHLexeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Detected HawkEye Rat
Sample uses process hollowing technique
Initial sample is a PE file and has a suspicious name
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
.NET source code contains potential unpacker
Yara detected WebBrowserPassView password recovery tool
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Antivirus or Machine Learning detection for unpacked file
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses 32bit PE files
Source: DHL_AWB_DOCUMENT_pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: DHL_AWB_DOCUMENT_pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 13_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 13_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 26_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, 26_2_0040702D
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.302901584.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.302901584.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000D.00000003.302167416.0000000002268000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: vbc.exe, 0000000D.00000003.302167416.0000000002268000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: vbc.exe, 0000000D.00000003.302319915.0000000002268000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: vbc.exe, 0000000D.00000003.302319915.0000000002268000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: vbc.exe, 0000000D.00000003.301820365.0000000002268000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: vbc.exe, 0000000D.00000003.301820365.0000000002268000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl.globalsign.com/root.crl0V
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1N
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiN
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvrrg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yHSm?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yqHP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0M
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0R
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://ocsp2.globalsign.com/cloudsslsha2g30V
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.289239450.0000000003EF9000.00000004.00000001.sdmp, DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.505655633.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.286303356.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://secure.globalsign.com/cacert/cloudsslsha2g3.crt06
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvrrg.img?h=166&w=310
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yHSm.img?h=75&w=100
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yqHP.img?h=75&w=100
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.286303356.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.285951977.0000000001587000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comic
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.285951977.0000000001587000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.como
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.285951977.0000000001587000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.como=
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://www.msn.com
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 0000000D.00000003.301810285.0000000002252000.00000004.00000001.sdmp, bhv2B6.tmp.13.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv2B6.tmp.13.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, 0000000D.00000002.302827463.000000000019C000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, vbc.exe, 0000001A.00000002.429178669.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.293702305.0000000006E42000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: vbc.exe, 0000000D.00000003.300550780.0000000002253000.00000004.00000001.sdmp, bhv2B6.tmp.13.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp String found in binary or memory: https://a.pomf.cat/
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: vbc.exe, 0000000D.00000003.300550780.0000000002253000.00000004.00000001.sdmp, bhv2B6.tmp.13.dr String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://contextual.media.net/
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000000D.00000003.300565944.000000000225E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 0000000D.00000003.301810285.0000000002252000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU15
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 0000000D.00000003.300565944.000000000225E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/57/35/144/83ebc513-f6d1-4e0e-a39a-bef975147e85.jpg?v=9
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/300x194/2/138/47/25/3b2da2d4-7a38-47c3-b162-f33e769f51f5.jpg?v=9
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_333%2Cw_311%2Cc_fill%2Cg_faces:aut
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: vbc.exe, 0000000D.00000003.300550780.0000000002253000.00000004.00000001.sdmp, bhv2B6.tmp.13.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: vbc.exe, 0000000D.00000003.301789018.000000000273B000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.300550780.0000000002253000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.300565944.000000000225E000.00000004.00000001.sdmp, bhv2B6.tmp.13.dr String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://pki.goog/repository/0
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=623d43496a394c99b1336ff5cc139eb9&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=299872286.1601476511
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/
Source: vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv2B6.tmp.13.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.412ca50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.289239450.0000000003EF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289625534.0000000004045000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.505655633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.513331493.0000000003540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 3220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 1928, type: MEMORYSTR
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0040F078 OpenClipboard,GetLastError,DeleteFileW, 13_2_0040F078

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 26.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.4571990.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.596834a.6.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d9dbda.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 26.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.4571990.3.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.596834a.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d9dbda.1.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45bd5.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910345.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.412ca50.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.412ca50.2.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.44d5950.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000000.00000002.289239450.0000000003EF9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000000.00000002.289625534.0000000004045000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000008.00000002.515516765.0000000005910000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000008.00000002.505655633.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000008.00000002.513331493.0000000003540000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000001A.00000002.429178669.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 3220, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 1928, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_AWB_DOCUMENT_pdf.exe
Uses 32bit PE files
Source: DHL_AWB_DOCUMENT_pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 26.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.4571990.3.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.596834a.6.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d9dbda.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 26.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.4571990.3.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.596834a.6.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d9dbda.1.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45bd5.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910345.4.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.412ca50.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.412ca50.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.412ca50.2.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.44d5950.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000000.00000002.289239450.0000000003EF9000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000000.00000002.289625534.0000000004045000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000008.00000002.515516765.0000000005910000.00000004.00020000.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000008.00000002.505655633.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000008.00000002.513331493.0000000003540000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000001A.00000002.429178669.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 3220, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 1928, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 0_2_00A266FF 0_2_00A266FF
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 0_2_00A24351 0_2_00A24351
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 0_2_02CEC124 0_2_02CEC124
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 0_2_02CEE562 0_2_02CEE562
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 0_2_02CEE570 0_2_02CEE570
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_00FF66FF 8_2_00FF66FF
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_00FF4351 8_2_00FF4351
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01772068 8_2_01772068
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017750B0 8_2_017750B0
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017704E8 8_2_017704E8
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01779878 8_2_01779878
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01770C48 8_2_01770C48
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01779F70 8_2_01779F70
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773F68 8_2_01773F68
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01776FE7 8_2_01776FE7
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01772ECD 8_2_01772ECD
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01774178 8_2_01774178
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01774168 8_2_01774168
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017771F0 8_2_017771F0
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01770562 8_2_01770562
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773568 8_2_01773568
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01770527 8_2_01770527
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01774528 8_2_01774528
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01774519 8_2_01774519
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017705ED 8_2_017705ED
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017755D0 8_2_017755D0
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017705A6 8_2_017705A6
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017704E0 8_2_017704E0
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_0177174D 8_2_0177174D
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017729F8 8_2_017729F8
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017729E9 8_2_017729E9
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017739D7 8_2_017739D7
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773981 8_2_01773981
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01775878 8_2_01775878
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01775868 8_2_01775868
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01777848 8_2_01777848
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01777838 8_2_01777838
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017738E6 8_2_017738E6
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017748E0 8_2_017748E0
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017748D0 8_2_017748D0
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773B60 8_2_01773B60
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773B1E 8_2_01773B1E
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773BF1 8_2_01773BF1
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_0177FBC0 8_2_0177FBC0
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773BCE 8_2_01773BCE
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01770BA8 8_2_01770BA8
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773A77 8_2_01773A77
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773A02 8_2_01773A02
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773ADD 8_2_01773ADD
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773AAA 8_2_01773AAA
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773D40 8_2_01773D40
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773DDD 8_2_01773DDD
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773DA0 8_2_01773DA0
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773C73 8_2_01773C73
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773C1D 8_2_01773C1D
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01779F62 8_2_01779F62
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773E75 8_2_01773E75
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01773E1A 8_2_01773E1A
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01778E18 8_2_01778E18
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_01778E08 8_2_01778E08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0044900F 13_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_004042EB 13_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00414281 13_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00410291 13_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_004063BB 13_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00415624 13_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0041668D 13_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0040477F 13_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0040487C 13_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0043589B 13_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0043BA9D 13_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0043FBD3 13_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 26_2_00404DE5 26_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 26_2_00404E56 26_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 26_2_00404EC7 26_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 26_2_00404F58 26_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 26_2_0040BF6B 26_2_0040BF6B
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00415F19 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0044468C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004162C2 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00412084 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00444B90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0041607A appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004083D6 appears 32 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 13_2_0040978A
Sample file is different than original file name gathered from version info
Source: DHL_AWB_DOCUMENT_pdf.exe Binary or memory string: OriginalFilename vs DHL_AWB_DOCUMENT_pdf.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.289239450.0000000003EF9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll< vs DHL_AWB_DOCUMENT_pdf.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.286303356.0000000002E01000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB_DOCUMENT_pdf.exe
Source: DHL_AWB_DOCUMENT_pdf.exe Binary or memory string: OriginalFilename vs DHL_AWB_DOCUMENT_pdf.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs DHL_AWB_DOCUMENT_pdf.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.511281375.00000000017BA000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs DHL_AWB_DOCUMENT_pdf.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.505655633.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB_DOCUMENT_pdf.exe
Source: DHL_AWB_DOCUMENT_pdf.exe Binary or memory string: OriginalFilenameReadToEndAsyncInternald.exe4 vs DHL_AWB_DOCUMENT_pdf.exe
Source: DHL_AWB_DOCUMENT_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lgrlEexTAQO.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe File read: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Jump to behavior
Source: DHL_AWB_DOCUMENT_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe 'C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe'
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lgrlEexTAQO' /XML 'C:\Users\user\AppData\Local\Temp\tmp9820.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2B6B.tmp'
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp25DA.tmp'
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lgrlEexTAQO' /XML 'C:\Users\user\AppData\Local\Temp\tmp9820.tmp' Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2B6B.tmp' Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp25DA.tmp' Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe File created: C:\Users\user\AppData\Roaming\lgrlEexTAQO.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmp9820.tmp Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@10/7@0/1
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 13_2_00418073
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.302901584.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 13_2_00417BE9
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle, 13_2_00413424
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\xchOxBtQU
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5044:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource, 13_2_004141E0
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, u206b????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: DHL_AWB_DOCUMENT_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_AWB_DOCUMENT_pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, vbc.exe

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: DHL_AWB_DOCUMENT_pdf.exe, WinMixer/frmMain.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: lgrlEexTAQO.exe.0.dr, WinMixer/frmMain.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.a20000.0.unpack, WinMixer/frmMain.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.DHL_AWB_DOCUMENT_pdf.exe.a20000.0.unpack, WinMixer/frmMain.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.ff0000.1.unpack, WinMixer/frmMain.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.DHL_AWB_DOCUMENT_pdf.exe.ff0000.0.unpack, WinMixer/frmMain.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 0_2_00A2657D push es; ret 0_2_00A2659A
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 0_2_053FAD07 push ecx; ret 0_2_053FAD25
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_00FF657D push es; ret 8_2_00FF659A
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_0177326C push ss; retf 8_2_0177326D
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Code function: 8_2_017732F5 push ss; retf 8_2_017732F6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00444975 push ecx; ret 13_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00444B90 push eax; ret 13_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00444B90 push eax; ret 13_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00448E74 push eax; ret 13_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0042CF44 push ebx; retf 0042h 13_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 26_2_00412341 push ecx; ret 26_2_00412351
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 26_2_00412360 push eax; ret 26_2_00412374
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 26_2_00412360 push eax; ret 26_2_0041239C
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 13_2_004443B0
Source: initial sample Static PE information: section name: .text entropy: 7.92379641789
Source: initial sample Static PE information: section name: .text entropy: 7.92379641789

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe File created: C:\Users\user\AppData\Roaming\lgrlEexTAQO.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lgrlEexTAQO' /XML 'C:\Users\user\AppData\Local\Temp\tmp9820.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 13_2_00443A61
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.2e246e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.286303356.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 3220, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.286303356.0000000002E01000.00000004.00000001.sdmp, DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.286303356.0000000002E01000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe TID: 2964 Thread sleep time: -46850s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe TID: 4944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe TID: 340 Thread sleep count: 136 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe TID: 340 Thread sleep time: -136000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe TID: 5840 Thread sleep count: 129 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe TID: 5840 Thread sleep time: -129000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 13_2_0040978A
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0041829C memset,GetSystemInfo, 13_2_0041829C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 13_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 13_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 26_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, 26_2_0040702D
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Thread delayed: delay time: 46850 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.286303356.0000000002E01000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: bhv2B6.tmp.13.dr Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:FE8E72D9-9324-F27F-91C7-FEE66B531521&ctry=US&time=20211012T174704Z&lc=en-US&pl=en-US&idtp=mid&uid=8706df6d-9543-4122-b8e1-1fcdd5939be6&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=e4099ecd589b4f649ef6b1330758f97c&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1206672&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1206672&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.286303356.0000000002E01000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.286303356.0000000002E01000.00000004.00000001.sdmp Binary or memory string: vmware
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.286303356.0000000002E01000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 13_2_0040978A
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 13_2_004443B0
Enables debug privileges
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
.NET source code references suspicious native API functions
Source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lgrlEexTAQO' /XML 'C:\Users\user\AppData\Local\Temp\tmp9820.tmp' Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2B6B.tmp' Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp25DA.tmp' Jump to behavior
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.512729430.0000000001FC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.512729430.0000000001FC0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.512729430.0000000001FC0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.512729430.0000000001FC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.512729430.0000000001FC0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_DOCUMENT_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 13_2_00418137
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 13_2_004083A1 GetVersionExW, 13_2_004083A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 26_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 26_2_004073B6

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: bdagent.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: MSASCui.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: avguard.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: avgrsx.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: avcenter.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: avp.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: zlclient.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: avgcsrvx.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: avgnt.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: hijackthis.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: avgui.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: avgwdsvc.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: mbam.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: MsMpEng.exe
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.513184627.00000000034E3000.00000004.00000001.sdmp Binary or memory string: ComboFix.exe

Stealing of Sensitive Information:

barindex
Yara detected MailPassView
Source: Yara match File source: 26.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.4571990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.596834a.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d9dbda.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.4571990.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.596834a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d9dbda.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45bd5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910345.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.44d5950.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.515516765.0000000005910000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.514774579.00000000035EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.429178669.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.515210194.00000000044D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 1928, type: MEMORYSTR
Yara detected HawkEye Keylogger
Source: Yara match File source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.412ca50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.289239450.0000000003EF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289625534.0000000004045000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.505655633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.513331493.0000000003540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 3220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 1928, type: MEMORYSTR
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 26_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 26_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 26_2_004033B1
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910345.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45bd5.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.44d5950.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45bd5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.5910345.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.44d5950.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000003.283675051.0000000004D45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.515516765.0000000005910000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.513331493.0000000003540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.515210194.00000000044D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.302901584.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 1928, type: MEMORYSTR
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 1928, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB_DOCUMENT_pdf.exe.412ca50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.289239450.0000000003EF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289625534.0000000004045000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.505655633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.513331493.0000000003540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 3220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_AWB_DOCUMENT_pdf.exe PID: 1928, type: MEMORYSTR
Detected HawkEye Rat
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000000.00000002.289239450.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: DHL_AWB_DOCUMENT_pdf.exe, 00000008.00000002.505655633.0000000000402000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 500851 Sample: DHL_AWB_DOCUMENT_pdf.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Detected HawkEye Rat 2->40 42 Yara detected MailPassView 2->42 44 7 other signatures 2->44 7 DHL_AWB_DOCUMENT_pdf.exe 7 2->7         started        process3 file4 24 C:\Users\user\AppData\Local\...\tmp9820.tmp, XML 7->24 dropped 26 C:\Users\user\AppData\...\lgrlEexTAQO.exe, PE32 7->26 dropped 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 11 DHL_AWB_DOCUMENT_pdf.exe 5 7->11         started        14 schtasks.exe 1 7->14         started        signatures5 process6 signatures7 50 Sample uses process hollowing technique 11->50 16 vbc.exe 1 11->16         started        20 vbc.exe 11->20         started        22 conhost.exe 14->22         started        process8 dnsIp9 28 192.168.2.1 unknown unknown 16->28 30 Tries to steal Mail credentials (via file registry) 16->30 32 Tries to harvest and steal browser information (history, passwords, etc) 16->32 34 Tries to steal Instant Messenger accounts or passwords 20->34 36 Tries to steal Mail credentials (via file access) 20->36 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1