Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL_AWB 518877882999_887755468_pdf.exe

Overview

General Information

Sample Name:DHL_AWB 518877882999_887755468_pdf.exe
Analysis ID:502165
MD5:7d11e82579e2a0628ca3c855afe34fd1
SHA1:d6abbbe7f991e79c3bc51480314386c0cce5f2b9
SHA256:691cb999c6be0f430c14a9411abf6796f174c8d8f3c3edc4b819b3b35972d832
Tags:DHLexeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Detected unpacking (changes PE section rights)
Detected HawkEye Rat
Sample uses process hollowing technique
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DHL_AWB 518877882999_887755468_pdf.exe (PID: 2172 cmdline: 'C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe' MD5: 7D11E82579E2A0628CA3C855AFE34FD1)
    • schtasks.exe (PID: 5984 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL_AWB 518877882999_887755468_pdf.exe (PID: 2960 cmdline: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe MD5: 7D11E82579E2A0628CA3C855AFE34FD1)
      • vbc.exe (PID: 5232 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6168 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x88246:$s1: HawkEye Keylogger
    • 0x882af:$s1: HawkEye Keylogger
    • 0x81689:$s2: _ScreenshotLogger
    • 0x81656:$s3: _PasswordStealer
    00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x6b4fa:$a1: logins.json
      • 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x6bc7e:$s4: \mozsqlite3.dll
      • 0x6a4ee:$s5: SMTP Password
      00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x11bb0:$a1: logins.json
        • 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x12334:$s4: \mozsqlite3.dll
        • 0x115a4:$s5: SMTP Password
        7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x131b0:$a1: logins.json
          • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x13934:$s4: \mozsqlite3.dll
          • 0x121a4:$s5: SMTP Password
          7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x11bb0:$a1: logins.json
            • 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x12334:$s4: \mozsqlite3.dll
            • 0x115a4:$s5: SMTP Password
            Click to see the 58 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: DHL_AWB 518877882999_887755468_pdf.exeVirustotal: Detection: 33%Perma Link
            Machine Learning detection for sampleShow sources
            Source: DHL_AWB 518877882999_887755468_pdf.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\cmsyNzu.exeJoe Sandbox ML: detected
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

            Compliance:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeUnpacked PE file: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpack
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmp, vbc.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-AAAAid7__f_
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://amplify-imp.outbrain.com/pixel?p=nlV1YHXXXKgnJTkmjxGkpD86h377hQIinq23IJiX9nqxEkupAtbFH4fSP0Iz
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://b1-use2.zemanta.com/bidder/win/outbrainrtb/c333bcb0-98dc-11e9-8919-320929a4a620/0.564833/3F66
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://b1t-use2.zemanta.com/t/imp/impression/FZV2QWU7KWGCXF6REQZNFCRJIZ4GXAXBRWOOIKPCGXHSIEOKHUJBTWL
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cdn.adnxs.com/v/s/169/trk.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cdn.taboola.com/TaboolaCookieSyncScript.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cm.adform.net/pixel?adform_pid=16&adform_pc=3011883223893104794
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
            Source: vbc.exe, 0000000B.00000003.299342081.000000000275A000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=true0&twa=1&s
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.globalsign.com/root.crl0V
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g5.crl0/
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g5.crl0L
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=148&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fs
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://e1.emxdgt.com/cs?d=d1&uid=3011883223893104794
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: http://ib.adnxs.com/async_usersync_file
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: http://ib.adnxs.com/getuid?http://s.amazon-adsystem.com/ecm3?id=$UID&ex=appnexus.com
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwN
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmM
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjM1OWYyYmUyYWEzNmM5ZGIxOWNkODJhMjgxMTNiZjk2MDliN
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU1YWFlM2E2Yzk0NjI5ZTJjNzIwNTg1NTAyOWJhYWYwZmIxM
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVlOTU1MDFkNzMwNDkzY2MzOWM0MzkzNmI4MTUzMTlhYTQ2O
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImE2Y2FkYjk5YjFhZTM3OGRiYjNlYjY3YzUxMTk0YzRkM2ViZ
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZ
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsWyr?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuMD0?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBGjoVB?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbOGs?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBSDdmG?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVBUge?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.comodoca.com09
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0:
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0B
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0E
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0F
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0K
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0M
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0R
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.msocsp.com0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://ocsp2.globalsign.com/cloudsslsha2g30V
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/r20190624/r20190131/show_ads_impl.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&euconsent=BOi01ZPOi01ZPAcABBENB4-AAA
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: http://s.amazon-adsystem.com/v3/pr?exlist=an&fv=1.0&a=cm&cm3ppd=1
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: http://s.amazon-adsystem.com/x/da2e6c890e6e3636
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://sb.scorecardresearch.com/beacon.js
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://secure.globalsign.com/cacert/cloudsslsha2g3.crt06
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/8c/865070.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/95/8bd8bf.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsWyr.img?h=75&w=100&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuMD0.img?h=333&w=311
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=75&w=100&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=75&w=100&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBGjoVB.img?h=50&w=50&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbOGs.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPRPvf.img?h=50&w=50&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBSDdmG.img?h=50&w=50&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBTrj40.img?h=50&w=50&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://t.wayfair.com/a/vendor_sync/user?vendor_id=1&uid=3011883223893104794&t=1
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://trc.taboola.com/p3p.xml
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000003.253368565.0000000001A9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn01
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://www.googleadservices.com/pagead/p3p.xml
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://www.msn.com
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://www.msn.com/
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
            Source: bhvE48A.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
            Source: vbc.exe, 0000000B.00000002.301955681.000000000019C000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: vbc.exe, vbc.exe, 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
            Source: vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt
            Source: vbc.exe, 0000000B.00000003.298884319.00000000021AE000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.302301690.00000000021AA000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://api.taboola.com/1.2/json/taboola-usersync/user.sync?app.type=desktop&app.apikey=e60e3b54fc66
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://cvision.media.net/new/286x175/2/79/227/59/931bcbc9-c308-445b-ac87-70a69b051455.jpg?v=9
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://cvision.media.net/new/300x194/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://cvision.media.net/new/300x300/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBEB4CB72
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:300
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmEU9fBBc-.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmSU5fBBc-.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOmCnqEu92Fr1Mu4mxM.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7064439419818173&output=html&h=250&twa=
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/adview?ai=C4ZZc-r8UXcilEM6E-gaA-YLQCODD_YZVtLCoh4gJ8ui0tf
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
            Source: vbc.exe, 0000000B.00000002.302227733.0000000000AB0000.00000004.00000040.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ht66
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.html
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wre
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1561640951&rver=7.0.6730.0&wp=l
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=c21d6fc334f1b2ec2cf4d2cbc4199764_4535_1561640954843
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=cadd7d1b12e34ff71b0237f3627e8ef3_4535_1561640955067
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=e2c41a910c7be90243b349629cd840b2_4535_1561640955327
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://p.rfihub.com/cm?in=1&pub=345&userid=3011883223893104794
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://pagead2.googlesyndication.com/pub-config/r20160913/ca-pub-7064439419818173.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://pki.goog/repository/0
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://pr-bh.ybp.yahoo.com/sync/msn/0D4108E9D28A6B29364F0561D37B6A29
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://secure.comodo.com/CPS0
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=9a5be529d6034927bda092231704a93b&c=MSN&d=http%3A%2F%2Fwww.msn
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://sync.outbrain.com/cookie-sync?p=medianet&uid=2046425540973639000V10
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/abg_lite.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/m_js_controller.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/qs_click_protection.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/window_focus.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://tpc.googlesyndication.com/simgad/1034445299425550758?w=300&h=300
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://widgets.outbrain.com/
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSync.html
            Source: vbc.exe, 0000000B.00000003.300248743.00000000021AB000.00000004.00000001.sdmpString found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSync.htmlhttp://s.amazon-adsystem.com/x/da2e6c89
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=892565928.1601478348
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
            Source: vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drString found in binary or memory: https://www.google.com/pagead/drt/ui
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js?cb=%2Fr20100101
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd_listener.js?cache=r20110914
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
            Source: bhvE48A.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 24.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 24.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 24.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 24.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A1070
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A23E1
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A3230
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A0470
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A4138
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A4129
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A3159
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A5008
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A5830
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A5840
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A1373
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A5A28
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A55D3
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A55E0
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A842F
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A5458
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A5448
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A8440
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A0FB9
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_058C75C8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_058C75D8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_058C4B4C
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01692068
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016904D8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016954B8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01699920
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01697868
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016938E6
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01690C48
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01696C20
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01699F80
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01694168
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01694178
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693568
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693563
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01690562
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01694528
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_0169053B
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01694519
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016905ED
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016905A6
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01699910
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016929E9
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016929F8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016939D7
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693981
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01695878
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01697858
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016948E0
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016948D0
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01695888
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693B60
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693B1E
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693BF1
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693BCE
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693A77
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693A02
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693ADD
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693AAA
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693D40
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693DDD
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693DA0
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693C73
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01690C35
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693C1D
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01691F61
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693E75
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01698E28
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01696E08
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_01693E1A
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_060562B8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_06054310
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_06054C00
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_0605FBD0
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_0605C281
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_0605C2C8
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_06059080
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_06059090
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_06053FC0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004063BB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0044900F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004042EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00414281
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00410291
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00415624
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0041668D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040477F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040487C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0043589B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0043BA9D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0043FBD3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00404DE5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00404E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00404EC7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00404F58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_0040BF6B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 87 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 32 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
            Source: DHL_AWB 518877882999_887755468_pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000003.269608946.0000000001772000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKeyedHashAlgorit.exeD vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000000.276423081.0000000000F6A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKeyedHashAlgorit.exeD vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exeBinary or memory string: OriginalFilenameKeyedHashAlgorit.exeD vs DHL_AWB 518877882999_887755468_pdf.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: cmsyNzu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DHL_AWB 518877882999_887755468_pdf.exeVirustotal: Detection: 33%
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeFile read: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeJump to behavior
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe 'C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeFile created: C:\Users\user\AppData\Roaming\cmsyNzu.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp70BF.tmpJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@10/7@0/1
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\vsnTDpNgPVtyiPSBVsGfKIlxfV
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\reblGreen Software DimWin Brightness
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3584:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic file information: File size 1078272 > 1048576
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x106800
            Source: DHL_AWB 518877882999_887755468_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmp, vbc.exe

            Data Obfuscation:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeUnpacked PE file: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpack
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeUnpacked PE file: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_00F420E0 push ecx; ret
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_00F421E2 push ecx; iretd
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_00F431C9 push esi; retf
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_00F4216E push 3D7EE852h; retf
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 0_2_019A727B push esi; retf
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_00E621E2 push ecx; iretd
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_00E620E0 push ecx; ret
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_00E631C9 push esi; retf
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_00E6216E push 3D7EE852h; retf
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_0169326C push ss; retf
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016932F5 push ss; retf
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_0169F4E0 push es; ret
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeCode function: 7_2_016997A9 push 00000069h; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00444975 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00444B90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00444B90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00448E74 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0042CF44 push ebx; retf 0042h
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00412341 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00412360 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00412360 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: initial sampleStatic PE information: section name: .text entropy: 7.77724876545
            Source: initial sampleStatic PE information: section name: .text entropy: 7.77724876545
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeFile created: C:\Users\user\AppData\Roaming\cmsyNzu.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp'
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.3466e5c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp, DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 4844Thread sleep time: -34041s >= -30000s
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 4732Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 5016Thread sleep count: 136 > 30
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 5016Thread sleep time: -136000s >= -30000s
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 476Thread sleep count: 149 > 30
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe TID: 476Thread sleep time: -149000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0041829C memset,GetSystemInfo,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeThread delayed: delay time: 34041
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeThread delayed: delay time: 922337203685477
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 20F008
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 365008
            .NET source code references suspicious native API functionsShow sources
            Source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp'
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523232752.0000000001C40000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523232752.0000000001C40000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpBinary or memory string: ProgMan
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523232752.0000000001C40000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523232752.0000000001C40000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_004083A1 GetVersionExW,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avguard.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avp.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avgui.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: mbam.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4abdbda.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7de834a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 24.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.4291990.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.526864554.00000000041F5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.278922139.0000000004A65000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65890.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.41f5950.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.DHL_AWB 518877882999_887755468_pdf.exe.4a65bd5.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.7d90345.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.526864554.00000000041F5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.278922139.0000000004A65000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5293710.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.5024860.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 518877882999_887755468_pdf.exe.4f54640.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960, type: MEMORYSTR
            Detected HawkEye RatShow sources
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Source: DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation111Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API11Scheduled Task/Job1Process Injection412Deobfuscate/Decode Files or Information11Credentials in Registry2Account Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information4Credentials In Files1File and Directory Discovery2SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSystem Information Discovery19Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery231SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection412DCSyncProcess Discovery4Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 502165 Sample: DHL_AWB 518877882999_887755... Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Detected unpacking (changes PE section rights) 2->45 47 13 other signatures 2->47 7 DHL_AWB 518877882999_887755468_pdf.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\cmsyNzu.exe, PE32 7->23 dropped 25 C:\Users\user\...\cmsyNzu.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp70BF.tmp, XML 7->27 dropped 29 DHL_AWB 5188778829...7755468_pdf.exe.log, ASCII 7->29 dropped 10 DHL_AWB 518877882999_887755468_pdf.exe 5 7->10         started        13 schtasks.exe 1 7->13         started        process5 signatures6 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 53 Sample uses process hollowing technique 10->53 55 Injects a PE file into a foreign processes 10->55 15 vbc.exe 1 10->15         started        19 vbc.exe 10->19         started        21 conhost.exe 13->21         started        process7 dnsIp8 31 192.168.2.1 unknown unknown 15->31 33 Tries to steal Mail credentials (via file registry) 15->33 35 Tries to harvest and steal browser information (history, passwords, etc) 15->35 37 Tries to steal Instant Messenger accounts or passwords 19->37 39 Tries to steal Mail credentials (via file access) 19->39 signatures9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DHL_AWB 518877882999_887755468_pdf.exe33%VirustotalBrowse
            DHL_AWB 518877882999_887755468_pdf.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\cmsyNzu.exe100%Joe Sandbox ML

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.2.DHL_AWB 518877882999_887755468_pdf.exe.f40000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
            11.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
            7.2.DHL_AWB 518877882999_887755468_pdf.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
            https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwN0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            https://aefd.nelreports.net/api/report?cat=bingth0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmM0%Avira URL Cloudsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZ0%Avira URL Cloudsafe
            http://pomf.cat/upload.php0%Avira URL Cloudsafe
            https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg0%URL Reputationsafe
            http://sb.scorecardresearch.com/beacon.js0%Avira URL Cloudsafe
            https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt0%URL Reputationsafe
            http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.htmlbhvE48A.tmp.11.drfalse
              		high
              https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9bhvE48A.tmp.11.drfalse
                		high
                http://www.msn.combhvE48A.tmp.11.drfalse
                  		high
                  http://www.fontbureau.com/designersDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                    		high
                    http://www.nirsoft.netvbc.exe, 0000000B.00000002.301955681.000000000019C000.00000004.00000001.sdmpfalse
                      		high
                      https://deff.nelreports.net/api/report?cat=msnbhvE48A.tmp.11.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://contextual.media.net/__media__/js/util/nrrV9140.jsbhvE48A.tmp.11.drfalse
                        		high
                        https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drfalse
                          		high
                          https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhvE48A.tmp.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhvE48A.tmp.11.drfalse
                            		high
                            https://www.google.com/chrome/bhvE48A.tmp.11.drfalse
                              		high
                              https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1bhvE48A.tmp.11.drfalse
                                		high
                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gbhvE48A.tmp.11.drfalse
                                  		high
                                  https://cvision.media.net/new/286x175/2/79/227/59/931bcbc9-c308-445b-ac87-70a69b051455.jpg?v=9bhvE48A.tmp.11.drfalse
                                    		high
                                    http://www.galapagosdesign.com/DPleaseDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://cvbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.zhongyicts.com.cnDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpfalse
                                        		high
                                        https://googleads.g.doubleclick.net/pagead/ht66vbc.exe, 0000000B.00000002.302227733.0000000000AB0000.00000004.00000040.sdmpfalse
                                          		high
                                          https://www.google.com/chrome/static/images/fallback/icon-file-download.jpgbhvE48A.tmp.11.drfalse
                                            		high
                                            http://cdn.adnxs.com/v/s/169/trk.jsbhvE48A.tmp.11.drfalse
                                              		high
                                              http://s.amazon-adsystem.com/v3/pr?exlist=an&fv=1.0&a=cm&cm3ppd=1vbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drfalse
                                                		high
                                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhvE48A.tmp.11.drfalse
                                                  		high
                                                  https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.cbhvE48A.tmp.11.drfalse
                                                    		high
                                                    https://p.rfihub.com/cm?in=1&pub=345&userid=3011883223893104794bhvE48A.tmp.11.drfalse
                                                      		high
                                                      https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhvE48A.tmp.11.drfalse
                                                        		high
                                                        https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhvE48A.tmp.11.drfalse
                                                          		high
                                                          https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookiebhvE48A.tmp.11.drfalse
                                                            		high
                                                            https://pki.goog/repository/0bhvE48A.tmp.11.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhvE48A.tmp.11.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://cm.adform.net/pixel?adform_pid=16&adform_pc=3011883223893104794bhvE48A.tmp.11.drfalse
                                                              		high
                                                              http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhvE48A.tmp.11.drfalse
                                                                		high
                                                                http://cdn.taboola.com/TaboolaCookieSyncScript.jsbhvE48A.tmp.11.drfalse
                                                                  		high
                                                                  http://www.carterandcone.comlDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.msn.com/bhvE48A.tmp.11.drfalse
                                                                    		high
                                                                    https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhvE48A.tmp.11.drfalse
                                                                      		high
                                                                      https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhvE48A.tmp.11.drfalse
                                                                        		high
                                                                        https://www.google.com/accounts/serviceloginvbc.exefalse
                                                                          		high
                                                                          http://trc.taboola.com/p3p.xmlbhvE48A.tmp.11.drfalse
                                                                            		high
                                                                            http://crl.pki.goog/gsr2/gsr2.crl0?bhvE48A.tmp.11.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://pki.goog/gsr2/GTSGIAG3.crt0)bhvE48A.tmp.11.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhvE48A.tmp.11.drfalse
                                                                              		high
                                                                              http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwNbhvE48A.tmp.11.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.founder.com.cn/cn/bTheDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://aefd.nelreports.net/api/report?cat=bingthbhvE48A.tmp.11.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://www.google.com/chrome/static/images/homepage/google-canary.pngbhvE48A.tmp.11.drfalse
                                                                                		high
                                                                                http://ib.adnxs.com/getuid?http://s.amazon-adsystem.com/ecm3?id=$UID&ex=appnexus.comvbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drfalse
                                                                                  		high
                                                                                  https://sync.outbrain.com/cookie-sync?p=medianet&uid=2046425540973639000V10bhvE48A.tmp.11.drfalse
                                                                                    		high
                                                                                    https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.pngbhvE48A.tmp.11.drfalse
                                                                                      		high
                                                                                      https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhvE48A.tmp.11.drfalse
                                                                                        		high
                                                                                        https://www.google.com/chrome/static/js/main.v2.min.jsbhvE48A.tmp.11.drfalse
                                                                                          		high
                                                                                          https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpgbhvE48A.tmp.11.drfalse
                                                                                            		high
                                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhvE48A.tmp.11.drfalse
                                                                                              		high
                                                                                              https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215vbc.exe, 0000000B.00000003.298841917.00000000021A3000.00000004.00000001.sdmp, bhvE48A.tmp.11.drfalse
                                                                                                		high
                                                                                                http://www.typography.netDDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://fontfabrik.comDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhvE48A.tmp.11.drfalse
                                                                                                  		high
                                                                                                  https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhvE48A.tmp.11.drfalse
                                                                                                    		high
                                                                                                    http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmMbhvE48A.tmp.11.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkMbhvE48A.tmp.11.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://www.fonts.comDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.sandoll.co.krDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0bhvE48A.tmp.11.drfalse
                                                                                                        		high
                                                                                                        http://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-AAAAid7__f_bhvE48A.tmp.11.drfalse
                                                                                                          		high
                                                                                                          http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&euconsent=BOi01ZPOi01ZPAcABBENB4-AAAbhvE48A.tmp.11.drfalse
                                                                                                            		high
                                                                                                            http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-bhvE48A.tmp.11.drfalse
                                                                                                              		high
                                                                                                              https://www.google.com/pagead/drt/uivbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drfalse
                                                                                                                		high
                                                                                                                http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZbhvE48A.tmp.11.drfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://widgets.outbrain.com/widgetOBUserSync/obUserSync.htmlbhvE48A.tmp.11.drfalse
                                                                                                                  		high
                                                                                                                  http://pomf.cat/upload.phpDHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://www.google.com/chrome/static/js/installer.min.jsbhvE48A.tmp.11.drfalse
                                                                                                                    		high
                                                                                                                    https://www.google.com/chrome/static/images/download-browser/pixel_tablet.pngbhvE48A.tmp.11.drfalse
                                                                                                                      		high
                                                                                                                      https://cvision.media.net/new/300x194/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9bhvE48A.tmp.11.drfalse
                                                                                                                        		high
                                                                                                                        https://widgets.outbrain.com/widgetOBUserSync/obUserSync.htmlhttp://s.amazon-adsystem.com/x/da2e6c89vbc.exe, 0000000B.00000003.300248743.00000000021AB000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://bot.whatismyipaddress.com/DHL_AWB 518877882999_887755468_pdf.exe, 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhvE48A.tmp.11.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://www.google.com/chrome/static/images/homepage/google-beta.pngbhvE48A.tmp.11.drfalse
                                                                                                                              		high
                                                                                                                              http://www.msn.com/de-ch/?ocid=iehpbhvE48A.tmp.11.drfalse
                                                                                                                                		high
                                                                                                                                https://www.google.com/chrome/static/images/icon-file-download.svgbhvE48A.tmp.11.drfalse
                                                                                                                                  		high
                                                                                                                                  http://www.fontbureau.com/designers/cabarga.htmlNDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9bhvE48A.tmp.11.drfalse
                                                                                                                                      		high
                                                                                                                                      http://www.founder.com.cn/cnDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://www.googletagservices.com/activeview/js/current/osd.js?cb=%2Fr20100101bhvE48A.tmp.11.drfalse
                                                                                                                                        		high
                                                                                                                                        http://acdn.adnxs.com/dmp/async_usersync.htmlbhvE48A.tmp.11.drfalse
                                                                                                                                          		high
                                                                                                                                          https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1bhvE48A.tmp.11.drfalse
                                                                                                                                            		high
                                                                                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47bhvE48A.tmp.11.drfalse
                                                                                                                                              		high
                                                                                                                                              http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svgbhvE48A.tmp.11.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              http://sb.scorecardresearch.com/beacon.jsbhvE48A.tmp.11.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtbhvE48A.tmp.11.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:vbc.exe, 0000000B.00000003.299521539.00000000027CA000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://ib.adnxs.com/async_usersync_filevbc.exe, 0000000B.00000003.299060394.00000000021B4000.00000004.00000001.sdmp, bhvE48A.tmp.11.drfalse
                                                                                                                                                  		high
                                                                                                                                                  http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatebhvE48A.tmp.11.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://www.google.com/chrome/static/images/folder-applications.svgbhvE48A.tmp.11.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211bhvE48A.tmp.11.drfalse
                                                                                                                                                        		high
                                                                                                                                                        http://b1t-use2.zemanta.com/t/imp/impression/FZV2QWU7KWGCXF6REQZNFCRJIZ4GXAXBRWOOIKPCGXHSIEOKHUJBTWLbhvE48A.tmp.11.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpgbhvE48A.tmp.11.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.google.com/chrome/static/images/chrome-logo.svgbhvE48A.tmp.11.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://www.google.com/chrome/static/images/homepage/homepage_features.pngbhvE48A.tmp.11.drfalse
                                                                                                                                                                		high
                                                                                                                                                                http://www.collada.org/2005/11/COLLADASchema9DoneDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmpfalse
                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                		unknown
                                                                                                                                                                http://www.sajatypeworks.comDHL_AWB 518877882999_887755468_pdf.exe, 00000000.00000002.292999870.0000000009932000.00000004.00000001.sdmpfalse
                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                		unknown

                                                                                                                                                                Contacted IPs

                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                Public

                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious

                                                                                                                                                                Private

                                                                                                                                                                IP
                                                                                                                                                                192.168.2.1

                                                                                                                                                                General Information

                                                                                                                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                                Analysis ID:502165
                                                                                                                                                                Start date:13.10.2021
                                                                                                                                                                Start time:17:07:49
                                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                                Overall analysis duration:0h 11m 40s
                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                Report type:light
                                                                                                                                                                Sample file name:DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                Number of analysed new started processes analysed:29
                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                Technologies:
                                                                                                                                                                • HCA enabled
                                                                                                                                                                • EGA enabled
                                                                                                                                                                • HDC enabled
                                                                                                                                                                • AMSI enabled
                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                Detection:MAL
                                                                                                                                                                Classification:mal100.phis.troj.spyw.evad.winEXE@10/7@0/1
                                                                                                                                                                EGA Information:Failed
                                                                                                                                                                HDC Information:
                                                                                                                                                                • Successful, ratio: 7.6% (good quality ratio 6.4%)
                                                                                                                                                                • Quality average: 72.5%
                                                                                                                                                                • Quality standard deviation: 35.8%
                                                                                                                                                                HCA Information:
                                                                                                                                                                • Successful, ratio: 98%
                                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                • Adjust boot time
                                                                                                                                                                • Enable AMSI
                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                Warnings:
                                                                                                                                                                Show All
                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 20.50.102.62, 131.253.33.200, 13.107.22.200, 95.100.218.79, 95.100.216.89, 20.82.210.154, 2.20.178.56, 2.20.178.10, 20.54.110.249, 40.112.88.60, 2.20.178.24, 2.20.178.33
                                                                                                                                                                • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                Simulations

                                                                                                                                                                Behavior and APIs

                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                17:08:56API Interceptor3x Sleep call for process: DHL_AWB 518877882999_887755468_pdf.exe modified

                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                IPs

                                                                                                                                                                No context

                                                                                                                                                                Domains

                                                                                                                                                                No context

                                                                                                                                                                ASN

                                                                                                                                                                No context

                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                No context

                                                                                                                                                                Dropped Files

                                                                                                                                                                No context

                                                                                                                                                                Created / dropped Files

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_AWB 518877882999_887755468_pdf.exe.log
                                                                                                                                                                Process:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):1216
                                                                                                                                                                Entropy (8bit):5.355304211458859
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                                                Malicious:true
                                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\2e8f43fa-ffff-b936-99ba-10ff8c640f0d
                                                                                                                                                                Process:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):108
                                                                                                                                                                Entropy (8bit):5.483051887012622
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:/o3Q2QffK1zJcNXCcBpVIYmmrfwEkzfuB4n:/yjQfi1uN/cmsVz2B4
                                                                                                                                                                MD5:F011D936EB499ED9028D1DF4162D136F
                                                                                                                                                                SHA1:0CC320DB0A1ADE3C5A4278C09259772C879B7B57
                                                                                                                                                                SHA-256:2D6375D75D48604E8AA5C9D9064C82D93457340244E1D62BDF1C73A34EEA941D
                                                                                                                                                                SHA-512:FE5ACE131B3DE321C6B8CCFA47CC31BC809D421C44F9AB4A0383BA5515DC38A858D87579605264C82E4890626B3E5E92B3D7E0AA73889A41E37D93DF13CBA384
                                                                                                                                                                Malicious:false
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview: vMSR5XyDGaw1S/nFeKjG9z/ZXgLmXlt/JGB9hvSuvggzH9mecNyELmNW3haEhSc8aHNinZpbl/Y5zC3qc6wI9aD3dF0Mi2J9szSa7WRm4cg=
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\bhvE48A.tmp
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb0d9183e, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):26738688
                                                                                                                                                                Entropy (8bit):1.0399297131617353
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:mcqhtSFKmLncRDPf6r0i1cREikolT3YEgI:6sLncx6r4
                                                                                                                                                                MD5:667F3E0A8064B46D23483A3AB5336CA2
                                                                                                                                                                SHA1:4D98A6C8A7FCD6D0D06697A19260C42ED749E782
                                                                                                                                                                SHA-256:47D0B6AE151AFDFE0352F84ECEB9FA18E0978C265A408B70E4CEE9B87091465B
                                                                                                                                                                SHA-512:3BE3AC56C84550648AEE973DB0EF4A1347A39C3DA8B6656B5977BC1E1A1224CACC22D8E785E50DCC23DA1947154CF0B732251E1F8862D89DDC7E27E0B24A17B0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview: ...>... ........9......p*.~.....w7..................................x..!....ye.h...........................z........w.............................................................................................._............B.................................................................................................................. ............y......................................................................................................................................................................................................................................'Z.t.....y..................R..;%....y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp
                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:Qn:Qn
                                                                                                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview: ..
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tmp70BF.tmp
                                                                                                                                                                Process:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1656
                                                                                                                                                                Entropy (8bit):5.171528568960239
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBntn:cbhH7MlNQ8/rydbz9I3YODOLNdq3L
                                                                                                                                                                MD5:AD951DCF7ECF37B0A4AA857B0D7403AE
                                                                                                                                                                SHA1:1C1E2C51F466443132BF5A6CE55EDEB1116DBCFB
                                                                                                                                                                SHA-256:1B58ED120BD7682F12CD22BC580B62BC0E3020DFBDE0444A68B654E93248DFEE
                                                                                                                                                                SHA-512:C4C2F68B0A1D5571B57A777D369BB9DDF3A4B36B686A4E04BC2BF464887A8E196A695B5D6ABFF0AFACCB3A89E3C6C16D793A9DCAB6227240FE9BF04F63F53D7B
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                                                                                                                                                C:\Users\user\AppData\Roaming\cmsyNzu.exe
                                                                                                                                                                Process:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1078272
                                                                                                                                                                Entropy (8bit):7.772035339679424
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:+yEc0kMMFANUc0FBcm6YAVjfsxogLMkB:1Ec0LWI+EJ3jYo3kB
                                                                                                                                                                MD5:7D11E82579E2A0628CA3C855AFE34FD1
                                                                                                                                                                SHA1:D6ABBBE7F991E79C3BC51480314386C0CCE5F2B9
                                                                                                                                                                SHA-256:691CB999C6BE0F430C14A9411ABF6796F174C8D8F3C3EDC4B819B3B35972D832
                                                                                                                                                                SHA-512:1939E68DAE222D5F7E4391C041EBEA87194E5BE8A9CEC6BC3BA83D1DC2242377ECE4E63BF8893CF9524C5933E2A6C9B3AE880DC5C0FE57B0125D0A09FAEADAE0
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa..............0..h.............. ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....f... ...h.................. ..`.rsrc................j..............@..@.reloc...............r..............@..B.......................H........q..........y...p...................................................2..t...Q9.t<y.^>.s..o..f..p\.~<.S,..../........V.C:!*T7.b..,.k...V.5.Z...k...M"Z{.HX<<.$s..~o.....X.\*.-.... ".o...62..7......X....,.............N"..S.'.B..~.....Q..o..$.2.5<e...&.KA.J..k..uu.L....Z.W...r|zS. .W.f.!i....Q.2.T..8$Y.d..V.....K..... .r./.....}tye.....?.D.VO_.C.hR.~=..nx.`..B..Q...{..Y...f.E.Br:.a.)O=..@C-P.s.."....L......[.j....0N...1.......S.C.. a<-.......vI.Y....X+.Zj.
                                                                                                                                                                C:\Users\user\AppData\Roaming\cmsyNzu.exe:Zone.Identifier
                                                                                                                                                                Process:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):26
                                                                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview: [ZoneTransfer]....ZoneId=0

                                                                                                                                                                Static File Info

                                                                                                                                                                General

                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                Entropy (8bit):7.772035339679424
                                                                                                                                                                TrID:
                                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                File name:DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                File size:1078272
                                                                                                                                                                MD5:7d11e82579e2a0628ca3c855afe34fd1
                                                                                                                                                                SHA1:d6abbbe7f991e79c3bc51480314386c0cce5f2b9
                                                                                                                                                                SHA256:691cb999c6be0f430c14a9411abf6796f174c8d8f3c3edc4b819b3b35972d832
                                                                                                                                                                SHA512:1939e68dae222d5f7e4391c041ebea87194e5be8a9cec6bc3ba83d1dc2242377ece4e63bf8893cf9524c5933e2a6c9b3ae880dc5c0fe57b0125d0a09faeadae0
                                                                                                                                                                SSDEEP:24576:+yEc0kMMFANUc0FBcm6YAVjfsxogLMkB:1Ec0LWI+EJ3jYo3kB
                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa..............0..h............... ........@.. ....................................@................................

                                                                                                                                                                File Icon

                                                                                                                                                                Icon Hash:00828e8e8686b000

                                                                                                                                                                Static PE Info

                                                                                                                                                                General

                                                                                                                                                                Entrypoint:0x5086ee
                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                Digitally signed:false
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                Time Stamp:0x61667FF1 [Wed Oct 13 06:42:57 2021 UTC]
                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                CLR (.Net) Version:v4.0.30319
                                                                                                                                                                OS Version Major:4
                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                File Version Major:4
                                                                                                                                                                File Version Minor:0
                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                Instruction
                                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                                Data Directories

                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1086940x57.text
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x10a0000x618.rsrc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c0000xc.reloc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                Sections

                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                .text0x20000x1066f40x106800False0.874490327381data7.77724876545IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                .rsrc0x10a0000x6180x800False0.33935546875data3.47597490494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                .reloc0x10c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                Resources

                                                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                                                RT_VERSION0x10a0a00x388data
                                                                                                                                                                RT_MANIFEST0x10a4280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                                                Imports

                                                                                                                                                                DLLImport
                                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                                Version Infos

                                                                                                                                                                DescriptionData
                                                                                                                                                                Translation0x0000 0x04b0
                                                                                                                                                                LegalCopyrightCopyright 2015
                                                                                                                                                                Assembly Version2.0.1.0
                                                                                                                                                                InternalNameKeyedHashAlgorit.exe
                                                                                                                                                                FileVersion2.0.1.0
                                                                                                                                                                CompanyNamereblGreen Software Ltd
                                                                                                                                                                LegalTrademarks
                                                                                                                                                                Comments
                                                                                                                                                                ProductNameDimWin Brightness
                                                                                                                                                                ProductVersion2.0.1.0
                                                                                                                                                                FileDescriptionDimWin Brightness
                                                                                                                                                                OriginalFilenameKeyedHashAlgorit.exe

                                                                                                                                                                Network Behavior

                                                                                                                                                                No network behavior found

                                                                                                                                                                Code Manipulations

                                                                                                                                                                Statistics

                                                                                                                                                                Behavior

                                                                                                                                                                Click to jump to process

                                                                                                                                                                System Behavior

                                                                                                                                                                Analysis Process: DHL_AWB 518877882999_887755468_pdf.exe PID: 2172 Parent PID: 5960

                                                                                                                                                                General

                                                                                                                                                                Start time:17:08:48
                                                                                                                                                                Start date:13/10/2021
                                                                                                                                                                Path:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe'
                                                                                                                                                                Imagebase:0xf40000
                                                                                                                                                                File size:1078272 bytes
                                                                                                                                                                MD5 hash:7D11E82579E2A0628CA3C855AFE34FD1
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.290657795.000000000536D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.285852957.0000000003419000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.289479199.0000000004E84000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:low

                                                                                                                                                                Analysis Process: schtasks.exe PID: 5984 Parent PID: 2172

                                                                                                                                                                General

                                                                                                                                                                Start time:17:09:01
                                                                                                                                                                Start date:13/10/2021
                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cmsyNzu' /XML 'C:\Users\user\AppData\Local\Temp\tmp70BF.tmp'
                                                                                                                                                                Imagebase:0xa30000
                                                                                                                                                                File size:185856 bytes
                                                                                                                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: conhost.exe PID: 3584 Parent PID: 5984

                                                                                                                                                                General

                                                                                                                                                                Start time:17:09:01
                                                                                                                                                                Start date:13/10/2021
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff774ee0000
                                                                                                                                                                File size:625664 bytes
                                                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: DHL_AWB 518877882999_887755468_pdf.exe PID: 2960 Parent PID: 2172

                                                                                                                                                                General

                                                                                                                                                                Start time:17:09:01
                                                                                                                                                                Start date:13/10/2021
                                                                                                                                                                Path:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Users\user\Desktop\DHL_AWB 518877882999_887755468_pdf.exe
                                                                                                                                                                Imagebase:0xe60000
                                                                                                                                                                File size:1078272 bytes
                                                                                                                                                                MD5 hash:7D11E82579E2A0628CA3C855AFE34FD1
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.525571222.000000000330E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.528296707.0000000007D90000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.523956583.0000000003203000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.526864554.00000000041F5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.526864554.00000000041F5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.517940589.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000003.278922139.0000000004A65000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000003.278922139.0000000004A65000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:low

                                                                                                                                                                Analysis Process: vbc.exe PID: 5232 Parent PID: 2960

                                                                                                                                                                General

                                                                                                                                                                Start time:17:09:07
                                                                                                                                                                Start date:13/10/2021
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp1B0D.tmp'
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:1171592 bytes
                                                                                                                                                                MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.302021801.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:high

                                                                                                                                                                Analysis Process: vbc.exe PID: 6168 Parent PID: 2960

                                                                                                                                                                General

                                                                                                                                                                Start time:17:10:10
                                                                                                                                                                Start date:13/10/2021
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11A3.tmp'
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:1171592 bytes
                                                                                                                                                                MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000018.00000002.423819557.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:high

                                                                                                                                                                Disassembly

                                                                                                                                                                Code Analysis

                                                                                                                                                                Reset < >