Windows Analysis Report DHL_AWB 518877882999_887755468_pdf.exe

Overview

General Information

Sample Name: DHL_AWB 518877882999_887755468_pdf.exe
Analysis ID: 502165
MD5: 7d11e82579e2a0628ca3c855afe34fd1
SHA1: d6abbbe7f991e79c3bc51480314386c0cce5f2b9
SHA256: 691cb999c6be0f430c14a9411abf6796f174c8d8f3c3edc4b819b3b35972d832
Tags: DHLexeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Detected unpacking (changes PE section rights)
Detected HawkEye Rat
Sample uses process hollowing technique
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: DHL_AWB 518877882999_887755468_pdf.exe Virustotal: Detection: 33% Perma Link
Machine Learning detection for sample
Source: DHL_AWB 518877882999_887755468_pdf.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\cmsyNzu.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Unpacked PE file: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpack
Uses 32bit PE files
Source: DHL_AWB 518877882999_887755468_pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: DHL_AWB 518877882999_887755468_pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmp, vbc.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 11_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 11_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 24_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, 24_2_0040702D

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_058C9C78
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_058C69AC
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-AAAAid7__f_
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://amplify-imp.outbrain.com/pixel?p=nlV1YHXXXKgnJTkmjxGkpD86h377hQIinq23IJiX9nqxEkupAtbFH4fSP0Iz
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://b1-use2.zemanta.com/bidder/win/outbrainrtb/c333bcb0-98dc-11e9-8919-320929a4a620/0.564833/3F66
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://b1t-use2.zemanta.com/t/imp/impression/FZV2QWU7KWGCXF6REQZNFCRJIZ4GXAXBRWOOIKPCGXHSIEOKHUJBTWL
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://cdn.adnxs.com/v/s/169/trk.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://cdn.taboola.com/TaboolaCookieSyncScript.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://cm.adform.net/pixel?adform_pid=16&adform_pc=3011883223893104794
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: vbc.exe, 0000000B.00000003.299342081.000000000275A000.00000004.00000001.sdmp String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=true0&twa=1&s
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl.globalsign.com/root.crl0V
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g5.crl0/
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g5.crl0L
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=148&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fs
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://e1.emxdgt.com/cs?d=d1&uid=3011883223893104794
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: http://ib.adnxs.com/async_usersync_file
Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: http://ib.adnxs.com/getuid?http://s.amazon-adsystem.com/ecm3?id=$UID&ex=appnexus.com
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwN
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmM
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjM1OWYyYmUyYWEzNmM5ZGIxOWNkODJhMjgxMTNiZjk2MDliN
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU1YWFlM2E2Yzk0NjI5ZTJjNzIwNTg1NTAyOWJhYWYwZmIxM
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVlOTU1MDFkNzMwNDkzY2MzOWM0MzkzNmI4MTUzMTlhYTQ2O
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImE2Y2FkYjk5YjFhZTM3OGRiYjNlYjY3YzUxMTk0YzRkM2ViZ
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZ
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsWyr?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuMD0?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBGjoVB?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbOGs?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBSDdmG?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVBUge?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.comodoca.com09
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0B
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0E
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0F
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0M
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0R
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://ocsp2.globalsign.com/cloudsslsha2g30V
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/r20190624/r20190131/show_ads_impl.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&euconsent=BOi01ZPOi01ZPAcABBENB4-AAA
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-
Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: http://s.amazon-adsystem.com/v3/pr?exlist=an&fv=1.0&a=cm&cm3ppd=1
Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: http://s.amazon-adsystem.com/x/da2e6c890e6e3636
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://sb.scorecardresearch.com/beacon.js
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://secure.globalsign.com/cacert/cloudsslsha2g3.crt06
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/8c/865070.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/95/8bd8bf.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsWyr.img?h=75&w=100&
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuMD0.img?h=333&w=311
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=75&w=100&
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=75&w=100&
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBGjoVB.img?h=50&w=50&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbOGs.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPRPvf.img?h=50&w=50&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBSDdmG.img?h=50&w=50&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBTrj40.img?h=50&w=50&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://t.wayfair.com/a/vendor_sync/user?vendor_id=1&uid=3011883223893104794&t=1
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://trc.taboola.com/p3p.xml
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000003.253368565.0000000001A9B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn01
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://www.googleadservices.com/pagead/p3p.xml
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://www.msn.com
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhvE48A.tmp.11.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, 0000000B.00000002.301955681.000000000019C000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, vbc.exe, 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
Source: vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp String found in binary or memory: https://a.pomf.cat/
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt
Source: vbc.exe, 0000000B.00000003.298884319.00000000021AE000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.302301690.00000000021AA000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://api.taboola.com/1.2/json/taboola-usersync/user.sync?app.type=desktop&app.apikey=e60e3b54fc66
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://contextual.media.net/
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/79/227/59/931bcbc9-c308-445b-ac87-70a69b051455.jpg?v=9
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://cvision.media.net/new/300x194/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://cvision.media.net/new/300x300/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBEB4CB72
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:300
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmEU9fBBc-.woff
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmSU5fBBc-.woff
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOmCnqEu92Fr1Mu4mxM.woff
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7064439419818173&output=html&h=250&twa=
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/adview?ai=C4ZZc-r8UXcilEM6E-gaA-YLQCODD_YZVtLCoh4gJ8ui0tf
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: vbc.exe, 0000000B.00000002.302227733.0000000000AB0000.00000004.00000040.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ht66
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.html
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1561640951&rver=7.0.6730.0&wp=l
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=c21d6fc334f1b2ec2cf4d2cbc4199764_4535_1561640954843
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=cadd7d1b12e34ff71b0237f3627e8ef3_4535_1561640955067
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=e2c41a910c7be90243b349629cd840b2_4535_1561640955327
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://p.rfihub.com/cm?in=1&pub=345&userid=3011883223893104794
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://pagead2.googlesyndication.com/pub-config/r20160913/ca-pub-7064439419818173.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://pki.goog/repository/0
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://pr-bh.ybp.yahoo.com/sync/msn/0D4108E9D28A6B29364F0561D37B6A29
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://secure.comodo.com/CPS0
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=9a5be529d6034927bda092231704a93b&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://sync.outbrain.com/cookie-sync?p=medianet&uid=2046425540973639000V10
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/abg_lite.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/m_js_controller.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/qs_click_protection.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/window_focus.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://tpc.googlesyndication.com/simgad/1034445299425550758?w=300&h=300
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://widgets.outbrain.com/
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSync.html
Source: vbc.exe, 0000000B.00000003.300248743.00000000021AB000.00000004.00000001.sdmp String found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSync.htmlhttp://s.amazon-adsystem.com/x/da2e6c89
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=892565928.1601478348
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/
Source: vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.dr String found in binary or memory: https://www.google.com/pagead/drt/ui
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js?cb=%2Fr20100101
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd_listener.js?cache=r20110914
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhvE48A.tmp.11.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0040F078 OpenClipboard,GetLastError,DeleteFileW, 11_2_0040F078

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 24.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 24.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_AWB 518877882999_887755468_pdf.exe
Uses 32bit PE files
Source: DHL_AWB 518877882999_887755468_pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 24.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 24.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A1070 0_2_019A1070
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A23E1 0_2_019A23E1
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A3230 0_2_019A3230
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A0470 0_2_019A0470
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A4138 0_2_019A4138
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A4129 0_2_019A4129
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A3159 0_2_019A3159
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A5008 0_2_019A5008
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A5830 0_2_019A5830
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A5840 0_2_019A5840
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A1373 0_2_019A1373
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A5A28 0_2_019A5A28
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A55D3 0_2_019A55D3
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A55E0 0_2_019A55E0
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A842F 0_2_019A842F
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A5458 0_2_019A5458
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A5448 0_2_019A5448
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A8440 0_2_019A8440
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A0FB9 0_2_019A0FB9
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_058C75C8 0_2_058C75C8
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_058C75D8 0_2_058C75D8
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_058C4B4C 0_2_058C4B4C
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01692068 7_2_01692068
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_016904D8 7_2_016904D8
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_016954B8 7_2_016954B8
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01699920 7_2_01699920
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01697868 7_2_01697868
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_016938E6 7_2_016938E6
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01690C48 7_2_01690C48
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01696C20 7_2_01696C20
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01699F80 7_2_01699F80
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01694168 7_2_01694168
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01694178 7_2_01694178
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693568 7_2_01693568
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693563 7_2_01693563
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01690562 7_2_01690562
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01694528 7_2_01694528
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_0169053B 7_2_0169053B
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01694519 7_2_01694519
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_016905ED 7_2_016905ED
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_016905A6 7_2_016905A6
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01699910 7_2_01699910
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_016929E9 7_2_016929E9
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_016929F8 7_2_016929F8
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_016939D7 7_2_016939D7
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693981 7_2_01693981
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01695878 7_2_01695878
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01697858 7_2_01697858
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_016948E0 7_2_016948E0
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_016948D0 7_2_016948D0
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01695888 7_2_01695888
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693B60 7_2_01693B60
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693B1E 7_2_01693B1E
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693BF1 7_2_01693BF1
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693BCE 7_2_01693BCE
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693A77 7_2_01693A77
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693A02 7_2_01693A02
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693ADD 7_2_01693ADD
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693AAA 7_2_01693AAA
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693D40 7_2_01693D40
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693DDD 7_2_01693DDD
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693DA0 7_2_01693DA0
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693C73 7_2_01693C73
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01690C35 7_2_01690C35
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693C1D 7_2_01693C1D
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01691F61 7_2_01691F61
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693E75 7_2_01693E75
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01698E28 7_2_01698E28
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01696E08 7_2_01696E08
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_01693E1A 7_2_01693E1A
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_060562B8 7_2_060562B8
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_06054310 7_2_06054310
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_06054C00 7_2_06054C00
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_0605FBD0 7_2_0605FBD0
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_0605C281 7_2_0605C281
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_0605C2C8 7_2_0605C2C8
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_06059080 7_2_06059080
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_06059090 7_2_06059090
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_06053FC0 7_2_06053FC0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_004063BB 11_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0044900F 11_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_004042EB 11_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00414281 11_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00410291 11_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00415624 11_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0041668D 11_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0040477F 11_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0040487C 11_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0043589B 11_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0043BA9D 11_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0043FBD3 11_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 24_2_00404DE5 24_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 24_2_00404E56 24_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 24_2_00404EC7 24_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 24_2_00404F58 24_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 24_2_0040BF6B 24_2_0040BF6B
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00415F19 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0044468C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004162C2 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00412084 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00444B90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0041607A appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004083D6 appears 32 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040978A
Sample file is different than original file name gathered from version info
Source: DHL_AWB 518877882999_887755468_pdf.exe Binary or memory string: OriginalFilename vs DHL_AWB 518877882999_887755468_pdf.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000003.269608946.0000000001772000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameKeyedHashAlgorit.exeD vs DHL_AWB 518877882999_887755468_pdf.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 518877882999_887755468_pdf.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs DHL_AWB 518877882999_887755468_pdf.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000000.276423081.0000000000F6A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameKeyedHashAlgorit.exeD vs DHL_AWB 518877882999_887755468_pdf.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 518877882999_887755468_pdf.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe Binary or memory string: OriginalFilenameKeyedHashAlgorit.exeD vs DHL_AWB 518877882999_887755468_pdf.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: cmsyNzu.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DHL_AWB 518877882999_887755468_pdf.exe Virustotal: Detection: 33%
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe File read: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Jump to behavior
Source: DHL_AWB 518877882999_887755468_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe 'C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe'
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp'
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp'
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp' Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp' Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp' Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe File created: C:\Users\user\AppData\Roaming\cmsyNzu.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmp70BF.tmp Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@10/7@0/1
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 11_2_00418073
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 11_2_00417BE9
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle, 11_2_00413424
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\vsnTDpNgPVtyiPSBVsGfKIlxfV
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\reblGreen Software DimWin Brightness
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3584:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource, 11_2_004141E0
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u206b????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DHL_AWB 518877882999_887755468_pdf.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: DHL_AWB 518877882999_887755468_pdf.exe Static file information: File size 1078272 > 1048576
Source: DHL_AWB 518877882999_887755468_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_AWB 518877882999_887755468_pdf.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x106800
Source: DHL_AWB 518877882999_887755468_pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmp, vbc.exe

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Unpacked PE file: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Unpacked PE file: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_00F420E0 push ecx; ret 0_2_00F42101
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_00F421E2 push ecx; iretd 0_2_00F421FF
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_00F431C9 push esi; retf 0_2_00F431CA
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_00F4216E push 3D7EE852h; retf 0_2_00F4217B
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 0_2_019A727B push esi; retf 0_2_019A727C
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_00E621E2 push ecx; iretd 7_2_00E621FF
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_00E620E0 push ecx; ret 7_2_00E62101
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_00E631C9 push esi; retf 7_2_00E631CA
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_00E6216E push 3D7EE852h; retf 7_2_00E6217B
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_0169326C push ss; retf 7_2_0169326D
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_016932F5 push ss; retf 7_2_016932F6
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_0169F4E0 push es; ret 7_2_0169F4F0
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Code function: 7_2_016997A9 push 00000069h; ret 7_2_016997AB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00444975 push ecx; ret 11_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00444B90 push eax; ret 11_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00444B90 push eax; ret 11_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00448E74 push eax; ret 11_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0042CF44 push ebx; retf 0042h 11_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 24_2_00412341 push ecx; ret 24_2_00412351
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 24_2_00412360 push eax; ret 24_2_00412374
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 24_2_00412360 push eax; ret 24_2_0041239C
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 11_2_004443B0
Source: initial sample Static PE information: section name: .text entropy: 7.77724876545
Source: initial sample Static PE information: section name: .text entropy: 7.77724876545

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe File created: C:\Users\user\AppData\Roaming\cmsyNzu.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 11_2_00443A61
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.3466e5c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp, DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 4844 Thread sleep time: -34041s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 4732 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 5016 Thread sleep count: 136 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 5016 Thread sleep time: -136000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 476 Thread sleep count: 149 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 476 Thread sleep time: -149000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040978A
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0041829C memset,GetSystemInfo, 11_2_0041829C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 11_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 11_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 24_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, 24_2_0040702D
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Thread delayed: delay time: 34041 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp Binary or memory string: vmware
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040978A
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 11_2_004443B0
Enables debug privileges
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 20F008 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 365008 Jump to behavior
.NET source code references suspicious native API functions
Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp' Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp' Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp' Jump to behavior
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523232752.0000000001C40000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523232752.0000000001C40000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp Binary or memory string: ProgMan
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523232752.0000000001C40000.00000002.00020000.sdmp Binary or memory string: Progman
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523232752.0000000001C40000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 11_2_00418137
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 11_2_004083A1 GetVersionExW, 11_2_004083A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 24_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 24_2_004073B6

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: bdagent.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: MSASCui.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: avguard.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: avgrsx.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: avcenter.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: avp.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: zlclient.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: avgcsrvx.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: avgnt.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: hijackthis.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: avgui.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: avgwdsvc.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: mbam.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: MsMpEng.exe
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp Binary or memory string: ComboFix.exe

Stealing of Sensitive Information:

barindex
Yara detected MailPassView
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.526864554.00000000041F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.278922139.0000000004A65000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
Yara detected HawkEye Keylogger
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 24_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 24_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 24_2_004033B1
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.526864554.00000000041F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.278922139.0000000004A65000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
Detected HawkEye Rat
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502165 Sample: DHL_AWB 518877882999_887755... Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Detected unpacking (changes PE section rights) 2->45 47 13 other signatures 2->47 7 DHL_AWB 518877882999_887755468_pdf.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\cmsyNzu.exe, PE32 7->23 dropped 25 C:\Users\user\...\cmsyNzu.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp70BF.tmp, XML 7->27 dropped 29 DHL_AWB 5188778829...7755468_pdf.exe.log, ASCII 7->29 dropped 10 DHL_AWB 518877882999_887755468_pdf.exe 5 7->10         started        13 schtasks.exe 1 7->13         started        process5 signatures6 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 53 Sample uses process hollowing technique 10->53 55 Injects a PE file into a foreign processes 10->55 15 vbc.exe 1 10->15         started        19 vbc.exe 10->19         started        21 conhost.exe 13->21         started        process7 dnsIp8 31 192.168.2.1 unknown unknown 15->31 33 Tries to steal Mail credentials (via file registry) 15->33 35 Tries to harvest and steal browser information (history, passwords, etc) 15->35 37 Tries to steal Instant Messenger accounts or passwords 19->37 39 Tries to steal Mail credentials (via file access) 19->39 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1