Windows Analysis Report DHL_AWB 51887788299___pdf.exe

Overview

General Information

Sample Name:	DHL_AWB 51887788299___pdf.exe
Analysis ID:	504577
MD5:	c453335b8c0417bd1c7e7e84278bac71
SHA1:	57160596f02d06791805a2324aaec47a2cab9b26
SHA256:	0a0e7c81912b02e6ec1c7fbb338f4ef200e23d441d57c692cc88fef616593f0d
Tags:	DHLexeHawkEye
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Multi AV Scanner detection for submitted file

Yara detected HawkEye Keylogger

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected AntiVM3

Detected unpacking (changes PE section rights)

Detected HawkEye Rat

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file registry)

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Yara detected WebBrowserPassView password recovery tool

Machine Learning detection for dropped file

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to steal Instant Messenger accounts or passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Enables debug privileges

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: DHL_AWB 51887788299___pdf.exe	Virustotal: Detection: 30%			Perma Link
Source: DHL_AWB 51887788299___pdf.exe	ReversingLabs: Detection: 20%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\qyEytITFs.exe

ReversingLabs: Detection: 20%

Machine Learning detection for sample

Source: DHL_AWB 51887788299___pdf.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\qyEytITFs.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Unpacked PE file: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack

Uses 32bit PE files

Source: DHL_AWB 51887788299___pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DHL_AWB 51887788299___pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmp, vbc.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	20_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	20_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,	32_2_0040702D

Source: vbc.exe, 00000014.00000002.309931306.0000000002330000.00000004.00000001.sdmp	String found in binary or memory: =130&idt=131&shv=r20190624&cbv=r20190131&saldr=aa&correlator=4425631041969&frm=23&ife=5&pv=2&ga_vid=1110928477.1561666108&ga_sid=1561666108&ga_hid=1967216909&ga_fc=0&icsg=10917&nhd=1&dssz=12&mdo=0&mso=32&u_tz=-420&u_his=1&u_java=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_nplug=1&u_nmime=2&adx=78&ady=161&biw=784&bih=554&isw=970&ish=250&ifk=2845738568&scr_x=0&scr_y=0&eid=20199336%2C21060853&oid=3&rx=0&eae=2&fc=656&docm=11&brdim=122%2C275%2C36%2C36%2C1280%2C%2C800%2C640%2C970%2C250&vis=1&rsz=o%7Co%7CeE%7C&abl=NS&pfx=0&fu=1044&bc=1&ifi=1&uci=1.egua8lgfmrmp&dtd=178https://googleads.g.doubleclick.net/pagead/adshttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000014.00000002.309931306.0000000002330000.00000004.00000001.sdmp	String found in binary or memory: =130&idt=131&shv=r20190624&cbv=r20190131&saldr=aa&correlator=4425631041969&frm=23&ife=5&pv=2&ga_vid=1110928477.1561666108&ga_sid=1561666108&ga_hid=1967216909&ga_fc=0&icsg=10917&nhd=1&dssz=12&mdo=0&mso=32&u_tz=-420&u_his=1&u_java=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_nplug=1&u_nmime=2&adx=78&ady=161&biw=784&bih=554&isw=970&ish=250&ifk=2845738568&scr_x=0&scr_y=0&eid=20199336%2C21060853&oid=3&rx=0&eae=2&fc=656&docm=11&brdim=122%2C275%2C36%2C36%2C1280%2C%2C800%2C640%2C970%2C250&vis=1&rsz=o%7Co%7CeE%7C&abl=NS&pfx=0&fu=1044&bc=1&ifi=1&uci=1.egua8lgfmrmp&dtd=178https://googleads.g.doubleclick.net/pagead/adshttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: bhv360E.tmp.20.dr	String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-AAAAid7__f_
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://amplify-imp.outbrain.com/pixel?p=nlV1YHXXXKgnJTkmjxGkpD86h377hQIinq23IJiX9nqxEkupAtbFH4fSP0Iz
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://b1-use2.zemanta.com/bidder/win/outbrainrtb/c333bcb0-98dc-11e9-8919-320929a4a620/0.564833/3F66
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://b1t-use2.zemanta.com/t/imp/impression/FZV2QWU7KWGCXF6REQZNFCRJIZ4GXAXBRWOOIKPCGXHSIEOKHUJBTWL
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cdn.adnxs.com/v/s/169/trk.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cdn.taboola.com/TaboolaCookieSyncScript.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cm.adform.net/pixel?adform_pid=16&adform_pc=3011883223893104794
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: vbc.exe, 00000014.00000003.308406999.0000000002345000.00000004.00000001.sdmp	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=true0&twa=1&s
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0V
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g5.crl0/
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g5.crl0L
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=148&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fs
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://e1.emxdgt.com/cs?d=d1&uid=3011883223893104794
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: http://ib.adnxs.com/async_usersync_file
Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: http://ib.adnxs.com/getuid?http://s.amazon-adsystem.com/ecm3?id=$UID&ex=appnexus.com
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwN
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmM
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjM1OWYyYmUyYWEzNmM5ZGIxOWNkODJhMjgxMTNiZjk2MDliN
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU1YWFlM2E2Yzk0NjI5ZTJjNzIwNTg1NTAyOWJhYWYwZmIxM
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVlOTU1MDFkNzMwNDkzY2MzOWM0MzkzNmI4MTUzMTlhYTQ2O
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImE2Y2FkYjk5YjFhZTM3OGRiYjNlYjY3YzUxMTk0YzRkM2ViZ
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZ
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsWyr?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuMD0?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBGjoVB?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbOGs?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBSDdmG?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVBUge?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.comodoca.com09
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp2.globalsign.com/cloudsslsha2g30V
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/r20190624/r20190131/show_ads_impl.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.php
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&euconsent=BOi01ZPOi01ZPAcABBENB4-AAA
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-
Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: http://s.amazon-adsystem.com/v3/pr?exlist=an&fv=1.0&a=cm&cm3ppd=1
Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: http://s.amazon-adsystem.com/x/da2e6c890e6e3636
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://sb.scorecardresearch.com/beacon.js
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://secure.globalsign.com/cacert/cloudsslsha2g3.crt06
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/8c/865070.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/95/8bd8bf.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsWyr.img?h=75&w=100&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuMD0.img?h=333&w=311
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=75&w=100&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=75&w=100&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBGjoVB.img?h=50&w=50&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbOGs.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPRPvf.img?h=50&w=50&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBSDdmG.img?h=50&w=50&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBTrj40.img?h=50&w=50&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://t.wayfair.com/a/vendor_sync/user?vendor_id=1&uid=3011883223893104794&t=1
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://trc.taboola.com/p3p.xml
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.266504386.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.agfamonotype.3k
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.260901116.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258915657.0000000007CA6000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259081110.0000000007C71000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comJ
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259567122.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259272180.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC5jd
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comV
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comXj
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259130153.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comof
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comt-p
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com-
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264147155.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262542099.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/-
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263417417.0000000007C77000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html-
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263880576.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers0.
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262993691.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersR
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263933123.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersT
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264241479.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersn
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262993691.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersz
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTF
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comituF
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.commf
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitul
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueom
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258240534.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.ch
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258199458.0000000007CA5000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257920534.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258702940.0000000007CA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257466443.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/fo
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257920534.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258240534.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnn
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264908027.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264908027.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/Y
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264991059.0000000007C84000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264967218.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr-d
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://www.googleadservices.com/pagead/p3p.xml
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://www.msn.com
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 00000014.00000003.308065135.000000000231A000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, 00000014.00000002.309421865.000000000019C000.00000004.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, vbc.exe, 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.255713374.0000000007C82000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com$
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.255713374.0000000007C82000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comno
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.260961497.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krFZ
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krhy/
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krom
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259768560.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258643634.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comBl
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256153678.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.net
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256102665.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netaTr
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.nete
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256102665.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netlic
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netlice
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262272352.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264329107.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dePw
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262631021.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.decw
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262272352.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dei
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.310029618.00000000028DC000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: https://a.pomf.cat/
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt
Source: vbc.exe, 00000014.00000003.307266109.000000000232E000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://api.taboola.com/1.2/json/taboola-usersync/user.sync?app.type=desktop&app.apikey=e60e3b54fc66
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: vbc.exe, 00000014.00000003.308065135.000000000231A000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.ne
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: vbc.exe, 00000014.00000003.307288341.0000000002338000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307315523.0000000002338000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307384773.000000000233A000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/79/227/59/931bcbc9-c308-445b-ac87-70a69b051455.jpg?v=9
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/300x194/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/300x300/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBEB4CB72
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:300
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmEU9fBBc-.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmSU5fBBc-.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOmCnqEu92Fr1Mu4mxM.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7064439419818173&output=html&h=250&twa=
Source: vbc.exe, 00000014.00000003.307332281.0000000002345000.00000004.00000001.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/adsclient=ca-pub-7064439419818173&output=html&h=250&twa=1
Source: vbc.exe, 00000014.00000002.309931306.0000000002330000.00000004.00000001.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/adshttp://cookies.onetrust.mgr.consensu.org/?name=euconse
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/adview?ai=C4ZZc-r8UXcilEM6E-gaA-YLQCODD_YZVtLCoh4gJ8ui0tf
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: vbc.exe, 00000014.00000002.309715992.0000000000AA0000.00000004.00000040.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ht66jL
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.html
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307423141.000000000232A000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307266109.000000000232E000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.308043717.00000000028DB000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1561640951&rver=7.0.6730.0&wp=l
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=c21d6fc334f1b2ec2cf4d2cbc4199764_4535_1561640954843
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=cadd7d1b12e34ff71b0237f3627e8ef3_4535_1561640955067
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=e2c41a910c7be90243b349629cd840b2_4535_1561640955327
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://p.rfihub.com/cm?in=1&pub=345&userid=3011883223893104794
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pub-config/r20160913/ca-pub-7064439419818173.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://pki.goog/repository/0
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://pr-bh.ybp.yahoo.com/sync/msn/0D4108E9D28A6B29364F0561D37B6A29
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://secure.comodo.com/CPS0
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=9a5be529d6034927bda092231704a93b&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://sync.outbrain.com/cookie-sync?p=medianet&uid=2046425540973639000V10
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/abg_lite.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/m_js_controller.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/qs_click_protection.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/window_focus.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://tpc.googlesyndication.com/simgad/1034445299425550758?w=300&h=300
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://widgets.outbrain.com/
Source: vbc.exe, 00000014.00000003.308055603.000000000232D000.00000004.00000001.sdmp	String found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSo
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSync.html
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=892565928.1601478348
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/pagead/drt/ui
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js?cb=%2Fr20100101
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd_listener.js?cache=r20110914
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,

20_2_0040F078

System Summary:

Malicious sample detected (through community Yara rule)

Source: 32.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 32.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: DHL_AWB 51887788299___pdf.exe

Uses 32bit PE files

Source: DHL_AWB 51887788299___pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 32.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 32.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870

Detected potential crypto function

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D0461	0_2_026D0461
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1BD3	0_2_026D1BD3
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D19E6	0_2_026D19E6
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1F08	0_2_026D1F08
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D32F8	0_2_026D32F8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D3308	0_2_026D3308
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1652	0_2_026D1652
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D0639	0_2_026D0639
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D16D6	0_2_026D16D6
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1764	0_2_026D1764
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1715	0_2_026D1715
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D27F9	0_2_026D27F9
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D17BE	0_2_026D17BE
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D0553	0_2_026D0553
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D2808	0_2_026D2808
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D18AA	0_2_026D18AA
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1C11	0_2_026D1C11
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1CB4	0_2_026D1CB4
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_0932AD20	0_2_0932AD20
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_09320040	0_2_09320040
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_09324890	0_2_09324890
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_09324880	0_2_09324880
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC10F0	19_2_00CC10F0
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC50B0	19_2_00CC50B0
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC2068	19_2_00CC2068
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC7003	19_2_00CC7003
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC1390	19_2_00CC1390
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC04E5	19_2_00CC04E5
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC9918	19_2_00CC9918
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC0C48	19_2_00CC0C48
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC3F63	19_2_00CC3F63
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC9F7B	19_2_00CC9F7B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC2059	19_2_00CC2059
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC4178	19_2_00CC4178
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC4175	19_2_00CC4175
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC3250	19_2_00CC3250
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC7208	19_2_00CC7208
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC1381	19_2_00CC1381
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC05ED	19_2_00CC05ED
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC05A6	19_2_00CC05A6
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC3568	19_2_00CC3568
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC0562	19_2_00CC0562
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC3563	19_2_00CC3563
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC4528	19_2_00CC4528
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC4525	19_2_00CC4525
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC053B	19_2_00CC053B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC36E8	19_2_00CC36E8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC36E4	19_2_00CC36E4
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC87B0	19_2_00CC87B0
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC48DD	19_2_00CC48DD
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC48E0	19_2_00CC48E0
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC5880	19_2_00CC5880
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC7850	19_2_00CC7850
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC7860	19_2_00CC7860
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC587F	19_2_00CC587F
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC29F8	19_2_00CC29F8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC29F4	19_2_00CC29F4
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC9917	19_2_00CC9917
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC0C40	19_2_00CC0C40
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC8E20	19_2_00CC8E20
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_056315DB	19_2_056315DB
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05631415	19_2_05631415
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_056314DD	19_2_056314DD
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05630778	19_2_05630778
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05630EA8	19_2_05630EA8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05631295	19_2_05631295
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05631174	19_2_05631174
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05631134	19_2_05631134
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05630351	19_2_05630351
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_0563170B	19_2_0563170B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05631667	19_2_05631667
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_0563125A	19_2_0563125A
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_056312D5	19_2_056312D5
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05644310	19_2_05644310
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_056462B8	19_2_056462B8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05644C00	19_2_05644C00
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_0564FBD0	19_2_0564FBD0
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05640006	19_2_05640006
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05649080	19_2_05649080
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05649090	19_2_05649090
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_0564C2C8	19_2_0564C2C8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_0564C2B8	19_2_0564C2B8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05643FC0	19_2_05643FC0
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05648B6B	19_2_05648B6B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05648B70	19_2_05648B70
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_0564FBC0	19_2_0564FBC0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_004063BB	20_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0044900F	20_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_004042EB	20_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00414281	20_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00410291	20_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00415624	20_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0041668D	20_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0040477F	20_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0040487C	20_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0043589B	20_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0043BA9D	20_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0043FBD3	20_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00404DE5	32_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00404E56	32_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00404EC7	32_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00404F58	32_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_0040BF6B	32_2_0040BF6B

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00415F19 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0044468C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004162C2 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00412084 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00444B90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0041607A appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004083D6 appears 32 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05631398 NtUnmapViewOfSection,		19_2_05631398
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,		20_2_0040978A

Sample file is different than original file name gathered from version info

Source: DHL_AWB 51887788299___pdf.exe	Binary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.303059257.00000000095D0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.280872140.0000000009AF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe	Binary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 0000000C.00000002.289326467.0000000000482000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe	Binary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 0000000E.00000002.290117457.0000000000342000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe	Binary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 0000000F.00000002.291079753.00000000003E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000011.00000002.292237371.0000000000342000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe	Binary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525268598.0000000000D0A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000000.292783353.00000000004C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe

Source: DHL_AWB 51887788299___pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: qyEytITFs.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: DHL_AWB 51887788299___pdf.exe	Virustotal: Detection: 30%
Source: DHL_AWB 51887788299___pdf.exe	ReversingLabs: Detection: 20%

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

File read: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Jump to behavior

Source: DHL_AWB 51887788299___pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe 'C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe'
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp'
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp'
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

File created: C:\Users\user\AppData\Roaming\qyEytITFs.exe

Jump to behavior

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp395D.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@18/7@0/0

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

20_2_00418073

Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

20_2_00417BE9

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,

20_2_00413424

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\FBcolUf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_01
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,

20_2_004141E0

Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: DHL_AWB 51887788299___pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL_AWB 51887788299___pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmp, vbc.exe

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Unpacked PE file: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Unpacked PE file: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_004F6E4B push ebx; ret	0_2_004F6E6B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_004F5DA9 push ds; ret	0_2_004F5DB2
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D06E9 push edi; ret	0_2_026D06EA
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 12_2_00486E4B push ebx; ret	12_2_00486E6B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 12_2_00485DA9 push ds; ret	12_2_00485DB2
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 14_2_00346E4B push ebx; ret	14_2_00346E6B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 14_2_00345DA9 push ds; ret	14_2_00345DB2
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 15_2_003E6E4B push ebx; ret	15_2_003E6E6B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 15_2_003E5DA9 push ds; ret	15_2_003E5DB2
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_004C6E4B push ebx; ret	19_2_004C6E6B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_004C5DA9 push ds; ret	19_2_004C5DB2
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC04E0 push eax; retf	19_2_00CC04E1
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC4519 pushad ; retf	19_2_00CC451A
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC28D0 push esp; retf	19_2_00CC28D1
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05646F8B push 8BD08BFBh; retf	19_2_05646F90
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05645851 push 5500CFFEh; iretd	19_2_0564585E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00444975 push ecx; ret	20_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00444B90 push eax; ret	20_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00444B90 push eax; ret	20_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00448E74 push eax; ret	20_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0042CF44 push ebx; retf 0042h	20_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00412341 push ecx; ret	32_2_00412351
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00412360 push eax; ret	32_2_00412374
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00412360 push eax; ret	32_2_0041239C

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

20_2_004443B0

Source: initial sample	Static PE information: section name: .text entropy: 7.8197081023
Source: initial sample	Static PE information: section name: .text entropy: 7.8197081023

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

File created: C:\Users\user\AppData\Roaming\qyEytITFs.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

20_2_00443A61

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.2.DHL_AWB 51887788299___pdf.exe.2854774.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 3092	Thread sleep time: -45386s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 3156	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 1956	Thread sleep count: 128 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 1956	Thread sleep time: -128000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 3372	Thread sleep count: 145 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 3372	Thread sleep time: -145000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,

20_2_0040978A

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_0041829C memset,GetSystemInfo,

20_2_0041829C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	20_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	20_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,	32_2_0040702D

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Thread delayed: delay time: 45386			Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: bhv360E.tmp.20.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:EE4890C5-90AE-59E2-5AC5-C20AA6654592&ctry=US&time=20211018T191808Z&lc=en-US&pl=en-US&idtp=mid&uid=d9fcfe42-b5d5-4629-ac66-c2605ea824c4&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=97dd00128f80467a9902a6b11acc148a&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1215312&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1215312&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

20_2_0040978A

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

20_2_004443B0

Enables debug privileges

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3E5008	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 37B008	Jump to behavior

.NET source code references suspicious native API functions

Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs

Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp'	Jump to behavior

Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525757846.0000000001290000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525757846.0000000001290000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525757846.0000000001290000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525757846.0000000001290000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

20_2_00418137

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_004083A1 GetVersionExW,

20_2_004083A1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 32_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

32_2_004073B6

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: bdagent.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avguard.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avgrsx.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avcenter.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: zlclient.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avgcsrvx.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avgnt.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: hijackthis.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avgui.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avgwdsvc.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: mbam.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: MsMpEng.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: ComboFix.exe

Stealing of Sensitive Information:

Yara detected MailPassView

Source: Yara match	File source: 32.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.294671201.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.528093886.0000000003965000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

Yara detected HawkEye Keylogger

Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	32_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	32_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	32_2_004033B1

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.294671201.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.528093886.0000000003965000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

Tries to steal Mail credentials (via file access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

Remote Access Functionality:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

Detected HawkEye Rat

Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for submitted file

Source: DHL_AWB 51887788299___pdf.exe	Virustotal: Detection: 30%			Perma Link
Source: DHL_AWB 51887788299___pdf.exe	ReversingLabs: Detection: 20%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\qyEytITFs.exe

ReversingLabs: Detection: 20%

Machine Learning detection for sample

Source: DHL_AWB 51887788299___pdf.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\qyEytITFs.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Unpacked PE file: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack

Uses 32bit PE files

Source: DHL_AWB 51887788299___pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DHL_AWB 51887788299___pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmp, vbc.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	20_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	20_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,	32_2_0040702D

Source: vbc.exe, 00000014.00000002.309931306.0000000002330000.00000004.00000001.sdmp	String found in binary or memory: =130&idt=131&shv=r20190624&cbv=r20190131&saldr=aa&correlator=4425631041969&frm=23&ife=5&pv=2&ga_vid=1110928477.1561666108&ga_sid=1561666108&ga_hid=1967216909&ga_fc=0&icsg=10917&nhd=1&dssz=12&mdo=0&mso=32&u_tz=-420&u_his=1&u_java=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_nplug=1&u_nmime=2&adx=78&ady=161&biw=784&bih=554&isw=970&ish=250&ifk=2845738568&scr_x=0&scr_y=0&eid=20199336%2C21060853&oid=3&rx=0&eae=2&fc=656&docm=11&brdim=122%2C275%2C36%2C36%2C1280%2C%2C800%2C640%2C970%2C250&vis=1&rsz=o%7Co%7CeE%7C&abl=NS&pfx=0&fu=1044&bc=1&ifi=1&uci=1.egua8lgfmrmp&dtd=178https://googleads.g.doubleclick.net/pagead/adshttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000014.00000002.309931306.0000000002330000.00000004.00000001.sdmp	String found in binary or memory: =130&idt=131&shv=r20190624&cbv=r20190131&saldr=aa&correlator=4425631041969&frm=23&ife=5&pv=2&ga_vid=1110928477.1561666108&ga_sid=1561666108&ga_hid=1967216909&ga_fc=0&icsg=10917&nhd=1&dssz=12&mdo=0&mso=32&u_tz=-420&u_his=1&u_java=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_nplug=1&u_nmime=2&adx=78&ady=161&biw=784&bih=554&isw=970&ish=250&ifk=2845738568&scr_x=0&scr_y=0&eid=20199336%2C21060853&oid=3&rx=0&eae=2&fc=656&docm=11&brdim=122%2C275%2C36%2C36%2C1280%2C%2C800%2C640%2C970%2C250&vis=1&rsz=o%7Co%7CeE%7C&abl=NS&pfx=0&fu=1044&bc=1&ifi=1&uci=1.egua8lgfmrmp&dtd=178https://googleads.g.doubleclick.net/pagead/adshttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: bhv360E.tmp.20.dr	String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-AAAAid7__f_
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://amplify-imp.outbrain.com/pixel?p=nlV1YHXXXKgnJTkmjxGkpD86h377hQIinq23IJiX9nqxEkupAtbFH4fSP0Iz
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://b1-use2.zemanta.com/bidder/win/outbrainrtb/c333bcb0-98dc-11e9-8919-320929a4a620/0.564833/3F66
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://b1t-use2.zemanta.com/t/imp/impression/FZV2QWU7KWGCXF6REQZNFCRJIZ4GXAXBRWOOIKPCGXHSIEOKHUJBTWL
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cdn.adnxs.com/v/s/169/trk.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cdn.taboola.com/TaboolaCookieSyncScript.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cm.adform.net/pixel?adform_pid=16&adform_pc=3011883223893104794
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: vbc.exe, 00000014.00000003.308406999.0000000002345000.00000004.00000001.sdmp	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=true0&twa=1&s
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0V
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g5.crl0/
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g5.crl0L
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=148&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fs
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://e1.emxdgt.com/cs?d=d1&uid=3011883223893104794
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: http://ib.adnxs.com/async_usersync_file
Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: http://ib.adnxs.com/getuid?http://s.amazon-adsystem.com/ecm3?id=$UID&ex=appnexus.com
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwN
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmM
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjM1OWYyYmUyYWEzNmM5ZGIxOWNkODJhMjgxMTNiZjk2MDliN
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU1YWFlM2E2Yzk0NjI5ZTJjNzIwNTg1NTAyOWJhYWYwZmIxM
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVlOTU1MDFkNzMwNDkzY2MzOWM0MzkzNmI4MTUzMTlhYTQ2O
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImE2Y2FkYjk5YjFhZTM3OGRiYjNlYjY3YzUxMTk0YzRkM2ViZ
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZ
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsWyr?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuMD0?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBGjoVB?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbOGs?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBSDdmG?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVBUge?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.comodoca.com09
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://ocsp2.globalsign.com/cloudsslsha2g30V
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/r20190624/r20190131/show_ads_impl.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.php
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&euconsent=BOi01ZPOi01ZPAcABBENB4-AAA
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-
Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: http://s.amazon-adsystem.com/v3/pr?exlist=an&fv=1.0&a=cm&cm3ppd=1
Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: http://s.amazon-adsystem.com/x/da2e6c890e6e3636
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://sb.scorecardresearch.com/beacon.js
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://secure.globalsign.com/cacert/cloudsslsha2g3.crt06
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/8c/865070.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/95/8bd8bf.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsWyr.img?h=75&w=100&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuMD0.img?h=333&w=311
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=75&w=100&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=75&w=100&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBGjoVB.img?h=50&w=50&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbOGs.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPRPvf.img?h=50&w=50&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBSDdmG.img?h=50&w=50&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBTrj40.img?h=50&w=50&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://t.wayfair.com/a/vendor_sync/user?vendor_id=1&uid=3011883223893104794&t=1
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://trc.taboola.com/p3p.xml
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.266504386.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.agfamonotype.3k
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.260901116.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258915657.0000000007CA6000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259081110.0000000007C71000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comJ
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259567122.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259272180.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC5jd
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comV
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comXj
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259130153.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comof
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comt-p
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com-
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264147155.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262542099.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/-
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263417417.0000000007C77000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html-
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263880576.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers0.
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262993691.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersR
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263933123.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersT
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264241479.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersn
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262993691.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersz
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTF
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comituF
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.commf
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitul
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueom
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258240534.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.ch
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258199458.0000000007CA5000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257920534.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258702940.0000000007CA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257466443.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/fo
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257920534.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258240534.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnn
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264908027.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264908027.0000000007C6D000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/Y
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264991059.0000000007C84000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264967218.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr-d
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://www.googleadservices.com/pagead/p3p.xml
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://www.msn.com
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 00000014.00000003.308065135.000000000231A000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv360E.tmp.20.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, 00000014.00000002.309421865.000000000019C000.00000004.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, vbc.exe, 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.255713374.0000000007C82000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com$
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.255713374.0000000007C82000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comno
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.260961497.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krFZ
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krhy/
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krom
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259768560.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258643634.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comBl
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256153678.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.net
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256102665.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netaTr
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.nete
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256102665.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netlic
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netlice
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262272352.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264329107.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dePw
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262631021.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.decw
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262272352.0000000007C84000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dei
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.310029618.00000000028DC000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: https://a.pomf.cat/
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt
Source: vbc.exe, 00000014.00000003.307266109.000000000232E000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://api.taboola.com/1.2/json/taboola-usersync/user.sync?app.type=desktop&app.apikey=e60e3b54fc66
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: vbc.exe, 00000014.00000003.308065135.000000000231A000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.ne
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: vbc.exe, 00000014.00000003.307288341.0000000002338000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307315523.0000000002338000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307384773.000000000233A000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/79/227/59/931bcbc9-c308-445b-ac87-70a69b051455.jpg?v=9
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/300x194/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/300x300/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBEB4CB72
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:300
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmEU9fBBc-.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmSU5fBBc-.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOmCnqEu92Fr1Mu4mxM.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7064439419818173&output=html&h=250&twa=
Source: vbc.exe, 00000014.00000003.307332281.0000000002345000.00000004.00000001.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/adsclient=ca-pub-7064439419818173&output=html&h=250&twa=1
Source: vbc.exe, 00000014.00000002.309931306.0000000002330000.00000004.00000001.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/adshttp://cookies.onetrust.mgr.consensu.org/?name=euconse
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/adview?ai=C4ZZc-r8UXcilEM6E-gaA-YLQCODD_YZVtLCoh4gJ8ui0tf
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: vbc.exe, 00000014.00000002.309715992.0000000000AA0000.00000004.00000040.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ht66jL
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.html
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307423141.000000000232A000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307266109.000000000232E000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.308043717.00000000028DB000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1561640951&rver=7.0.6730.0&wp=l
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=c21d6fc334f1b2ec2cf4d2cbc4199764_4535_1561640954843
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=cadd7d1b12e34ff71b0237f3627e8ef3_4535_1561640955067
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=e2c41a910c7be90243b349629cd840b2_4535_1561640955327
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://p.rfihub.com/cm?in=1&pub=345&userid=3011883223893104794
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pub-config/r20160913/ca-pub-7064439419818173.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://pki.goog/repository/0
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://pr-bh.ybp.yahoo.com/sync/msn/0D4108E9D28A6B29364F0561D37B6A29
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://secure.comodo.com/CPS0
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=9a5be529d6034927bda092231704a93b&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://sync.outbrain.com/cookie-sync?p=medianet&uid=2046425540973639000V10
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/abg_lite.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/m_js_controller.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/qs_click_protection.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/window_focus.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://tpc.googlesyndication.com/simgad/1034445299425550758?w=300&h=300
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://widgets.outbrain.com/
Source: vbc.exe, 00000014.00000003.308055603.000000000232D000.00000004.00000001.sdmp	String found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSo
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSync.html
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=892565928.1601478348
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.dr	String found in binary or memory: https://www.google.com/pagead/drt/ui
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js?cb=%2Fr20100101
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd_listener.js?cache=r20110914
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv360E.tmp.20.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,

20_2_0040F078

System Summary:

Malicious sample detected (through community Yara rule)

Source: 32.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 32.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: DHL_AWB 51887788299___pdf.exe

Uses 32bit PE files

Source: DHL_AWB 51887788299___pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 32.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 32.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870

Detected potential crypto function

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D0461	0_2_026D0461
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1BD3	0_2_026D1BD3
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D19E6	0_2_026D19E6
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1F08	0_2_026D1F08
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D32F8	0_2_026D32F8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D3308	0_2_026D3308
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1652	0_2_026D1652
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D0639	0_2_026D0639
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D16D6	0_2_026D16D6
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1764	0_2_026D1764
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1715	0_2_026D1715
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D27F9	0_2_026D27F9
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D17BE	0_2_026D17BE
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D0553	0_2_026D0553
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D2808	0_2_026D2808
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D18AA	0_2_026D18AA
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1C11	0_2_026D1C11
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D1CB4	0_2_026D1CB4
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_0932AD20	0_2_0932AD20
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_09320040	0_2_09320040
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_09324890	0_2_09324890
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_09324880	0_2_09324880
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC10F0	19_2_00CC10F0
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC50B0	19_2_00CC50B0
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC2068	19_2_00CC2068
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC7003	19_2_00CC7003
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC1390	19_2_00CC1390
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC04E5	19_2_00CC04E5
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC9918	19_2_00CC9918
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC0C48	19_2_00CC0C48
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC3F63	19_2_00CC3F63
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC9F7B	19_2_00CC9F7B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC2059	19_2_00CC2059
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC4178	19_2_00CC4178
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC4175	19_2_00CC4175
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC3250	19_2_00CC3250
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC7208	19_2_00CC7208
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC1381	19_2_00CC1381
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC05ED	19_2_00CC05ED
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC05A6	19_2_00CC05A6
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC3568	19_2_00CC3568
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC0562	19_2_00CC0562
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC3563	19_2_00CC3563
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC4528	19_2_00CC4528
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC4525	19_2_00CC4525
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC053B	19_2_00CC053B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC36E8	19_2_00CC36E8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC36E4	19_2_00CC36E4
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC87B0	19_2_00CC87B0
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC48DD	19_2_00CC48DD
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC48E0	19_2_00CC48E0
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC5880	19_2_00CC5880
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC7850	19_2_00CC7850
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC7860	19_2_00CC7860
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC587F	19_2_00CC587F
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC29F8	19_2_00CC29F8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC29F4	19_2_00CC29F4
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC9917	19_2_00CC9917
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC0C40	19_2_00CC0C40
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC8E20	19_2_00CC8E20
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_056315DB	19_2_056315DB
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05631415	19_2_05631415
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_056314DD	19_2_056314DD
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05630778	19_2_05630778
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05630EA8	19_2_05630EA8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05631295	19_2_05631295
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05631174	19_2_05631174
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05631134	19_2_05631134
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05630351	19_2_05630351
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_0563170B	19_2_0563170B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05631667	19_2_05631667
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_0563125A	19_2_0563125A
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_056312D5	19_2_056312D5
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05644310	19_2_05644310
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_056462B8	19_2_056462B8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05644C00	19_2_05644C00
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_0564FBD0	19_2_0564FBD0
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05640006	19_2_05640006
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05649080	19_2_05649080
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05649090	19_2_05649090
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_0564C2C8	19_2_0564C2C8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_0564C2B8	19_2_0564C2B8
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05643FC0	19_2_05643FC0
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05648B6B	19_2_05648B6B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05648B70	19_2_05648B70
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_0564FBC0	19_2_0564FBC0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_004063BB	20_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0044900F	20_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_004042EB	20_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00414281	20_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00410291	20_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00415624	20_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0041668D	20_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0040477F	20_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0040487C	20_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0043589B	20_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0043BA9D	20_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0043FBD3	20_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00404DE5	32_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00404E56	32_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00404EC7	32_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00404F58	32_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_0040BF6B	32_2_0040BF6B

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00415F19 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0044468C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004162C2 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00412084 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00444B90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0041607A appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004083D6 appears 32 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05631398 NtUnmapViewOfSection,		19_2_05631398
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,		20_2_0040978A

Sample file is different than original file name gathered from version info

Source: DHL_AWB 51887788299___pdf.exe	Binary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.303059257.00000000095D0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.280872140.0000000009AF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe	Binary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 0000000C.00000002.289326467.0000000000482000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe	Binary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 0000000E.00000002.290117457.0000000000342000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe	Binary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 0000000F.00000002.291079753.00000000003E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000011.00000002.292237371.0000000000342000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe	Binary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525268598.0000000000D0A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000000.292783353.00000000004C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 51887788299___pdf.exe
Source: DHL_AWB 51887788299___pdf.exe	Binary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe

Source: DHL_AWB 51887788299___pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: qyEytITFs.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: DHL_AWB 51887788299___pdf.exe	Virustotal: Detection: 30%
Source: DHL_AWB 51887788299___pdf.exe	ReversingLabs: Detection: 20%

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

File read: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Jump to behavior

Source: DHL_AWB 51887788299___pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe 'C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe'
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp'
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp'
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

File created: C:\Users\user\AppData\Roaming\qyEytITFs.exe

Jump to behavior

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp395D.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@18/7@0/0

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

20_2_00418073

Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

20_2_00417BE9

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,

20_2_00413424

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\FBcolUf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_01
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,

20_2_004141E0

Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: DHL_AWB 51887788299___pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL_AWB 51887788299___pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmp, vbc.exe

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Unpacked PE file: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Unpacked PE file: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_004F6E4B push ebx; ret	0_2_004F6E6B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_004F5DA9 push ds; ret	0_2_004F5DB2
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 0_2_026D06E9 push edi; ret	0_2_026D06EA
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 12_2_00486E4B push ebx; ret	12_2_00486E6B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 12_2_00485DA9 push ds; ret	12_2_00485DB2
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 14_2_00346E4B push ebx; ret	14_2_00346E6B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 14_2_00345DA9 push ds; ret	14_2_00345DB2
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 15_2_003E6E4B push ebx; ret	15_2_003E6E6B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 15_2_003E5DA9 push ds; ret	15_2_003E5DB2
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_004C6E4B push ebx; ret	19_2_004C6E6B
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_004C5DA9 push ds; ret	19_2_004C5DB2
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC04E0 push eax; retf	19_2_00CC04E1
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC4519 pushad ; retf	19_2_00CC451A
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_00CC28D0 push esp; retf	19_2_00CC28D1
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05646F8B push 8BD08BFBh; retf	19_2_05646F90
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Code function: 19_2_05645851 push 5500CFFEh; iretd	19_2_0564585E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00444975 push ecx; ret	20_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00444B90 push eax; ret	20_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00444B90 push eax; ret	20_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00448E74 push eax; ret	20_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0042CF44 push ebx; retf 0042h	20_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00412341 push ecx; ret	32_2_00412351
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00412360 push eax; ret	32_2_00412374
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_00412360 push eax; ret	32_2_0041239C

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

20_2_004443B0

Source: initial sample	Static PE information: section name: .text entropy: 7.8197081023
Source: initial sample	Static PE information: section name: .text entropy: 7.8197081023

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

File created: C:\Users\user\AppData\Roaming\qyEytITFs.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

20_2_00443A61

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.2.DHL_AWB 51887788299___pdf.exe.2854774.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 3092	Thread sleep time: -45386s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 3156	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 1956	Thread sleep count: 128 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 1956	Thread sleep time: -128000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 3372	Thread sleep count: 145 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 3372	Thread sleep time: -145000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

20_2_0040978A

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_0041829C memset,GetSystemInfo,

20_2_0041829C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	20_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 20_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	20_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 32_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,	32_2_0040702D

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Thread delayed: delay time: 45386			Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: bhv360E.tmp.20.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:EE4890C5-90AE-59E2-5AC5-C20AA6654592&ctry=US&time=20211018T191808Z&lc=en-US&pl=en-US&idtp=mid&uid=d9fcfe42-b5d5-4629-ac66-c2605ea824c4&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=97dd00128f80467a9902a6b11acc148a&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1215312&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1215312&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

20_2_0040978A

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

20_2_004443B0

Enables debug privileges

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3E5008	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 37B008	Jump to behavior

.NET source code references suspicious native API functions

Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp'	Jump to behavior

Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525757846.0000000001290000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525757846.0000000001290000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525757846.0000000001290000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525757846.0000000001290000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

20_2_00418137

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 20_2_004083A1 GetVersionExW,

20_2_004083A1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 32_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

32_2_004073B6

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: bdagent.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avguard.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avgrsx.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avcenter.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: zlclient.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avgcsrvx.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avgnt.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: hijackthis.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avgui.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: avgwdsvc.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: mbam.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: MsMpEng.exe
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp	Binary or memory string: ComboFix.exe

Stealing of Sensitive Information:

Yara detected MailPassView

Source: Yara match	File source: 32.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.294671201.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.528093886.0000000003965000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

Yara detected HawkEye Keylogger

Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	32_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	32_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	32_2_004033B1

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.294671201.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.528093886.0000000003965000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

Tries to steal Mail credentials (via file access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

Remote Access Functionality:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

Detected HawkEye Rat

Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

ID:	504577
Product:	CloudBasic
Start time:	12:17:25
Start date:	18.10.2021
Sample:	DHL_AWB 51887788299___pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c453335b8c0417bd1c7e7e84278bac71
SHA1:	57160596f02d06791805a2324aaec47a2cab9b26
SHA256:	0a0e7c81912b02e6ec1c7fbb338f4ef200e23d441d57c692cc88fef616593f0d
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_AWB 51887788299___pdf.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Temp\97695d7d-f686-3bef-0bdf-699df2eb7081	ASCII text, with no line terminators	C0E51F45B53C7238AF5A1F4B1DCF1931	846FD39DE731D6C9D2829D586AD009F13FB25954	F4A352FDA42C6B11EF30471C653020667966DBE93151CBC42BBC391388CD97E5
C:\Users\user\AppData\Local\Temp\bhv360E.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x29982920, page size 32768, DirtyShutdown, Windows version 10.0	5974D181790002AEA45D96C4BEC189AD	A9C28C81583ADCD9E3C017F41209F7D7BBD0C539	A529DD54651A9DA03A4E826283726ED580B35392BB8035481419058634A1A162
C:\Users\user\AppData\Local\Temp\tmp395D.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	F01606DFFA93B906ADADAF9CCF0BCD82	B56CFDFB4D077FD658DE028E5452C3DFE8EA418D	61B3653451D1203EF4DE3F895A820180ED1D20EE43CAD98CA3E690253350F5C8
C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\qyEytITFs.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C453335B8C0417BD1C7E7E84278BAC71	57160596F02D06791805A2324AAEC47A2CAB9B26	0A0E7C81912B02E6EC1C7FBB338F4EF200E23D441D57C692CC88FEF616593F0D
C:\Users\user\AppData\Roaming\qyEytITFs.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report DHL_AWB 51887788299___pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map