Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL_AWB 51887788299___pdf.exe

Overview

General Information

Sample Name:DHL_AWB 51887788299___pdf.exe
Analysis ID:504577
MD5:c453335b8c0417bd1c7e7e84278bac71
SHA1:57160596f02d06791805a2324aaec47a2cab9b26
SHA256:0a0e7c81912b02e6ec1c7fbb338f4ef200e23d441d57c692cc88fef616593f0d
Tags:DHLexeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Detected unpacking (changes PE section rights)
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DHL_AWB 51887788299___pdf.exe (PID: 5288 cmdline: 'C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe' MD5: C453335B8C0417BD1C7E7E84278BAC71)
    • schtasks.exe (PID: 1380 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL_AWB 51887788299___pdf.exe (PID: 1480 cmdline: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe MD5: C453335B8C0417BD1C7E7E84278BAC71)
      • vbc.exe (PID: 3388 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 4960 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x147b0:$a1: logins.json
  • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x14f34:$s4: \mozsqlite3.dll
  • 0x137a4:$s5: SMTP Password
00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x87e0e:$s1: HawkEye Keylogger
      • 0x87e77:$s1: HawkEye Keylogger
      • 0x81251:$s2: _ScreenshotLogger
      • 0x8121e:$s3: _PasswordStealer
      00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        32.2.vbc.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x131b0:$a1: logins.json
        • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x13934:$s4: \mozsqlite3.dll
        • 0x121a4:$s5: SMTP Password
        32.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x131b0:$a1: logins.json
          • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x13934:$s4: \mozsqlite3.dll
          • 0x121a4:$s5: SMTP Password
          19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            32.2.vbc.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x147b0:$a1: logins.json
            • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x14f34:$s4: \mozsqlite3.dll
            • 0x137a4:$s5: SMTP Password
            Click to see the 46 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: DHL_AWB 51887788299___pdf.exeVirustotal: Detection: 30%Perma Link
            Source: DHL_AWB 51887788299___pdf.exeReversingLabs: Detection: 20%
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\qyEytITFs.exeReversingLabs: Detection: 20%
            Machine Learning detection for sampleShow sources
            Source: DHL_AWB 51887788299___pdf.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\qyEytITFs.exeJoe Sandbox ML: detected
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

            Compliance:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeUnpacked PE file: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack
            Source: DHL_AWB 51887788299___pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: DHL_AWB 51887788299___pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmp, vbc.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,20_2_0040938F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,20_2_00408CAC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,32_2_0040702D
            Source: vbc.exe, 00000014.00000002.309931306.0000000002330000.00000004.00000001.sdmpString found in binary or memory: =130&idt=131&shv=r20190624&cbv=r20190131&saldr=aa&correlator=4425631041969&frm=23&ife=5&pv=2&ga_vid=1110928477.1561666108&ga_sid=1561666108&ga_hid=1967216909&ga_fc=0&icsg=10917&nhd=1&dssz=12&mdo=0&mso=32&u_tz=-420&u_his=1&u_java=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_nplug=1&u_nmime=2&adx=78&ady=161&biw=784&bih=554&isw=970&ish=250&ifk=2845738568&scr_x=0&scr_y=0&eid=20199336%2C21060853&oid=3&rx=0&eae=2&fc=656&docm=11&brdim=122%2C275%2C36%2C36%2C1280%2C%2C800%2C640%2C970%2C250&vis=1&rsz=o%7Co%7CeE%7C&abl=NS&pfx=0&fu=1044&bc=1&ifi=1&uci=1.egua8lgfmrmp&dtd=178https://googleads.g.doubleclick.net/pagead/adshttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000014.00000002.309931306.0000000002330000.00000004.00000001.sdmpString found in binary or memory: =130&idt=131&shv=r20190624&cbv=r20190131&saldr=aa&correlator=4425631041969&frm=23&ife=5&pv=2&ga_vid=1110928477.1561666108&ga_sid=1561666108&ga_hid=1967216909&ga_fc=0&icsg=10917&nhd=1&dssz=12&mdo=0&mso=32&u_tz=-420&u_his=1&u_java=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_nplug=1&u_nmime=2&adx=78&ady=161&biw=784&bih=554&isw=970&ish=250&ifk=2845738568&scr_x=0&scr_y=0&eid=20199336%2C21060853&oid=3&rx=0&eae=2&fc=656&docm=11&brdim=122%2C275%2C36%2C36%2C1280%2C%2C800%2C640%2C970%2C250&vis=1&rsz=o%7Co%7CeE%7C&abl=NS&pfx=0&fu=1044&bc=1&ifi=1&uci=1.egua8lgfmrmp&dtd=178https://googleads.g.doubleclick.net/pagead/adshttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: bhv360E.tmp.20.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
            Source: bhv360E.tmp.20.drString found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html
            Source: bhv360E.tmp.20.drString found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-AAAAid7__f_
            Source: bhv360E.tmp.20.drString found in binary or memory: http://amplify-imp.outbrain.com/pixel?p=nlV1YHXXXKgnJTkmjxGkpD86h377hQIinq23IJiX9nqxEkupAtbFH4fSP0Iz
            Source: bhv360E.tmp.20.drString found in binary or memory: http://b1-use2.zemanta.com/bidder/win/outbrainrtb/c333bcb0-98dc-11e9-8919-320929a4a620/0.564833/3F66
            Source: bhv360E.tmp.20.drString found in binary or memory: http://b1t-use2.zemanta.com/t/imp/impression/FZV2QWU7KWGCXF6REQZNFCRJIZ4GXAXBRWOOIKPCGXHSIEOKHUJBTWL
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cdn.adnxs.com/v/s/169/trk.js
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cdn.taboola.com/TaboolaCookieSyncScript.js
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cm.adform.net/pixel?adform_pid=16&adform_pc=3011883223893104794
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
            Source: vbc.exe, 00000014.00000003.308406999.0000000002345000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=true0&twa=1&s
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.globalsign.com/root.crl0V
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g5.crl0/
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g5.crl0L
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: bhv360E.tmp.20.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
            Source: bhv360E.tmp.20.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=148&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fs
            Source: bhv360E.tmp.20.drString found in binary or memory: http://e1.emxdgt.com/cs?d=d1&uid=3011883223893104794
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: http://ib.adnxs.com/async_usersync_file
            Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: http://ib.adnxs.com/getuid?http://s.amazon-adsystem.com/ecm3?id=$UID&ex=appnexus.com
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwN
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmM
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjM1OWYyYmUyYWEzNmM5ZGIxOWNkODJhMjgxMTNiZjk2MDliN
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU1YWFlM2E2Yzk0NjI5ZTJjNzIwNTg1NTAyOWJhYWYwZmIxM
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVlOTU1MDFkNzMwNDkzY2MzOWM0MzkzNmI4MTUzMTlhYTQ2O
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImE2Y2FkYjk5YjFhZTM3OGRiYjNlYjY3YzUxMTk0YzRkM2ViZ
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZ
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsWyr?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuMD0?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBGjoVB?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbOGs?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBSDdmG?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVBUge?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.comodoca.com09
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0:
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0B
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0E
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0F
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0K
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0M
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0R
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.msocsp.com0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp2.globalsign.com/cloudsslsha2g30V
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/r20190624/r20190131/show_ads_impl.js
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&euconsent=BOi01ZPOi01ZPAcABBENB4-AAA
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-
            Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: http://s.amazon-adsystem.com/v3/pr?exlist=an&fv=1.0&a=cm&cm3ppd=1
            Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: http://s.amazon-adsystem.com/x/da2e6c890e6e3636
            Source: bhv360E.tmp.20.drString found in binary or memory: http://sb.scorecardresearch.com/beacon.js
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: bhv360E.tmp.20.drString found in binary or memory: http://secure.globalsign.com/cacert/cloudsslsha2g3.crt06
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/8c/865070.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/95/8bd8bf.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsWyr.img?h=75&w=100&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuMD0.img?h=333&w=311
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=75&w=100&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=75&w=100&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBGjoVB.img?h=50&w=50&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbOGs.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPRPvf.img?h=50&w=50&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBSDdmG.img?h=50&w=50&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBTrj40.img?h=50&w=50&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
            Source: bhv360E.tmp.20.drString found in binary or memory: http://t.wayfair.com/a/vendor_sync/user?vendor_id=1&uid=3011883223893104794&t=1
            Source: bhv360E.tmp.20.drString found in binary or memory: http://trc.taboola.com/p3p.xml
            Source: bhv360E.tmp.20.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.266504386.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.3k
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.260901116.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258915657.0000000007CA6000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259081110.0000000007C71000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comJ
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259567122.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259272180.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC5jd
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comV
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comXj
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comal
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259130153.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comof
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comt-p
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com-
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264147155.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262542099.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/-
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263417417.0000000007C77000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html-
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263880576.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0.
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262993691.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersR
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263933123.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersT
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264241479.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262993691.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersz
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commf
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitul
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueom
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258240534.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.ch
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258199458.0000000007CA5000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257920534.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258702940.0000000007CA5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257466443.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/fo
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257920534.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258240534.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264908027.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264908027.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/Y
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264991059.0000000007C84000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264967218.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-d
            Source: bhv360E.tmp.20.drString found in binary or memory: http://www.googleadservices.com/pagead/p3p.xml
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: bhv360E.tmp.20.drString found in binary or memory: http://www.msn.com
            Source: bhv360E.tmp.20.drString found in binary or memory: http://www.msn.com/
            Source: vbc.exe, 00000014.00000003.308065135.000000000231A000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
            Source: bhv360E.tmp.20.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
            Source: vbc.exe, 00000014.00000002.309421865.000000000019C000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: vbc.exe, vbc.exe, 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.255713374.0000000007C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com$
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.255713374.0000000007C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comno
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.260961497.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krFZ
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krhy/
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krom
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259768560.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258643634.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comBl
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256153678.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256102665.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netaTr
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.nete
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256102665.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netlic
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netlice
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262272352.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264329107.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dePw
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262631021.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.decw
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262272352.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dei
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: bhv360E.tmp.20.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.310029618.00000000028DC000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
            Source: bhv360E.tmp.20.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt
            Source: vbc.exe, 00000014.00000003.307266109.000000000232E000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
            Source: bhv360E.tmp.20.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
            Source: bhv360E.tmp.20.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
            Source: bhv360E.tmp.20.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://api.taboola.com/1.2/json/taboola-usersync/user.sync?app.type=desktop&app.apikey=e60e3b54fc66
            Source: bhv360E.tmp.20.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
            Source: vbc.exe, 00000014.00000003.308065135.000000000231A000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.ne
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: vbc.exe, 00000014.00000003.307288341.0000000002338000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307315523.0000000002338000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307384773.000000000233A000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:
            Source: bhv360E.tmp.20.drString found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
            Source: bhv360E.tmp.20.drString found in binary or memory: https://cvision.media.net/new/286x175/2/79/227/59/931bcbc9-c308-445b-ac87-70a69b051455.jpg?v=9
            Source: bhv360E.tmp.20.drString found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
            Source: bhv360E.tmp.20.drString found in binary or memory: https://cvision.media.net/new/300x194/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
            Source: bhv360E.tmp.20.drString found in binary or memory: https://cvision.media.net/new/300x300/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
            Source: bhv360E.tmp.20.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
            Source: bhv360E.tmp.20.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
            Source: bhv360E.tmp.20.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBEB4CB72
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:300
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmEU9fBBc-.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmSU5fBBc-.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOmCnqEu92Fr1Mu4mxM.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: bhv360E.tmp.20.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7064439419818173&output=html&h=250&twa=
            Source: vbc.exe, 00000014.00000003.307332281.0000000002345000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/adsclient=ca-pub-7064439419818173&output=html&h=250&twa=1
            Source: vbc.exe, 00000014.00000002.309931306.0000000002330000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/adshttp://cookies.onetrust.mgr.consensu.org/?name=euconse
            Source: bhv360E.tmp.20.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/adview?ai=C4ZZc-r8UXcilEM6E-gaA-YLQCODD_YZVtLCoh4gJ8ui0tf
            Source: bhv360E.tmp.20.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
            Source: bhv360E.tmp.20.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
            Source: bhv360E.tmp.20.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
            Source: vbc.exe, 00000014.00000002.309715992.0000000000AA0000.00000004.00000040.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ht66jL
            Source: bhv360E.tmp.20.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.html
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307423141.000000000232A000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307266109.000000000232E000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.308043717.00000000028DB000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wre
            Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1561640951&rver=7.0.6730.0&wp=l
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: bhv360E.tmp.20.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=c21d6fc334f1b2ec2cf4d2cbc4199764_4535_1561640954843
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=cadd7d1b12e34ff71b0237f3627e8ef3_4535_1561640955067
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=e2c41a910c7be90243b349629cd840b2_4535_1561640955327
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
            Source: bhv360E.tmp.20.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
            Source: bhv360E.tmp.20.drString found in binary or memory: https://p.rfihub.com/cm?in=1&pub=345&userid=3011883223893104794
            Source: bhv360E.tmp.20.drString found in binary or memory: https://pagead2.googlesyndication.com/pub-config/r20160913/ca-pub-7064439419818173.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://pki.goog/repository/0
            Source: bhv360E.tmp.20.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
            Source: bhv360E.tmp.20.drString found in binary or memory: https://pr-bh.ybp.yahoo.com/sync/msn/0D4108E9D28A6B29364F0561D37B6A29
            Source: bhv360E.tmp.20.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
            Source: bhv360E.tmp.20.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: bhv360E.tmp.20.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
            Source: bhv360E.tmp.20.drString found in binary or memory: https://secure.comodo.com/CPS0
            Source: bhv360E.tmp.20.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=9a5be529d6034927bda092231704a93b&c=MSN&d=http%3A%2F%2Fwww.msn
            Source: bhv360E.tmp.20.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
            Source: bhv360E.tmp.20.drString found in binary or memory: https://sync.outbrain.com/cookie-sync?p=medianet&uid=2046425540973639000V10
            Source: bhv360E.tmp.20.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/abg_lite.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/m_js_controller.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/qs_click_protection.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/window_focus.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://tpc.googlesyndication.com/simgad/1034445299425550758?w=300&h=300
            Source: bhv360E.tmp.20.drString found in binary or memory: https://widgets.outbrain.com/
            Source: vbc.exe, 00000014.00000003.308055603.000000000232D000.00000004.00000001.sdmpString found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSo
            Source: bhv360E.tmp.20.drString found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSync.html
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=892565928.1601478348
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
            Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/pagead/drt/ui
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js?cb=%2Fr20100101
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd_listener.js?cache=r20110914
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,20_2_0040F078

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 32.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 32.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 32.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 32.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D04610_2_026D0461
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D1BD30_2_026D1BD3
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D19E60_2_026D19E6
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D1F080_2_026D1F08
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D32F80_2_026D32F8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D33080_2_026D3308
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D16520_2_026D1652
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D06390_2_026D0639
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D16D60_2_026D16D6
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D17640_2_026D1764
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D17150_2_026D1715
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D27F90_2_026D27F9
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D17BE0_2_026D17BE
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D05530_2_026D0553
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D28080_2_026D2808
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D18AA0_2_026D18AA
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D1C110_2_026D1C11
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D1CB40_2_026D1CB4
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_0932AD200_2_0932AD20
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_093200400_2_09320040
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_093248900_2_09324890
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_093248800_2_09324880
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC10F019_2_00CC10F0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC50B019_2_00CC50B0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC206819_2_00CC2068
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC700319_2_00CC7003
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC139019_2_00CC1390
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC04E519_2_00CC04E5
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC991819_2_00CC9918
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC0C4819_2_00CC0C48
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC3F6319_2_00CC3F63
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC9F7B19_2_00CC9F7B
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC205919_2_00CC2059
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC417819_2_00CC4178
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC417519_2_00CC4175
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC325019_2_00CC3250
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC720819_2_00CC7208
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC138119_2_00CC1381
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC05ED19_2_00CC05ED
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC05A619_2_00CC05A6
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC356819_2_00CC3568
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC056219_2_00CC0562
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC356319_2_00CC3563
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC452819_2_00CC4528
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC452519_2_00CC4525
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC053B19_2_00CC053B
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC36E819_2_00CC36E8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC36E419_2_00CC36E4
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC87B019_2_00CC87B0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC48DD19_2_00CC48DD
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC48E019_2_00CC48E0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC588019_2_00CC5880
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC785019_2_00CC7850
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC786019_2_00CC7860
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC587F19_2_00CC587F
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC29F819_2_00CC29F8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC29F419_2_00CC29F4
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC991719_2_00CC9917
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC0C4019_2_00CC0C40
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC8E2019_2_00CC8E20
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_056315DB19_2_056315DB
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0563141519_2_05631415
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_056314DD19_2_056314DD
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0563077819_2_05630778
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05630EA819_2_05630EA8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0563129519_2_05631295
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0563117419_2_05631174
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0563113419_2_05631134
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0563035119_2_05630351
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0563170B19_2_0563170B
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0563166719_2_05631667
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0563125A19_2_0563125A
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_056312D519_2_056312D5
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0564431019_2_05644310
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_056462B819_2_056462B8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05644C0019_2_05644C00
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0564FBD019_2_0564FBD0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0564000619_2_05640006
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0564908019_2_05649080
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0564909019_2_05649090
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0564C2C819_2_0564C2C8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0564C2B819_2_0564C2B8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05643FC019_2_05643FC0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05648B6B19_2_05648B6B
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05648B7019_2_05648B70
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0564FBC019_2_0564FBC0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_004063BB20_2_004063BB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0044900F20_2_0044900F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_004042EB20_2_004042EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0041428120_2_00414281
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0041029120_2_00410291
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0041562420_2_00415624
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0041668D20_2_0041668D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040477F20_2_0040477F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040487C20_2_0040487C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0043589B20_2_0043589B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0043BA9D20_2_0043BA9D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0043FBD320_2_0043FBD3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_00404DE532_2_00404DE5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_00404E5632_2_00404E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_00404EC732_2_00404EC7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_00404F5832_2_00404F58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_0040BF6B32_2_0040BF6B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 87 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 32 times
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05631398 NtUnmapViewOfSection,19_2_05631398
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,20_2_0040978A
            Source: DHL_AWB 51887788299___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.303059257.00000000095D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.280872140.0000000009AF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 0000000C.00000002.289326467.0000000000482000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 0000000E.00000002.290117457.0000000000342000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 0000000F.00000002.291079753.00000000003E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000011.00000002.292237371.0000000000342000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525268598.0000000000D0A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000000.292783353.00000000004C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: qyEytITFs.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DHL_AWB 51887788299___pdf.exeVirustotal: Detection: 30%
            Source: DHL_AWB 51887788299___pdf.exeReversingLabs: Detection: 20%
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeFile read: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeJump to behavior
            Source: DHL_AWB 51887788299___pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe 'C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe'
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeFile created: C:\Users\user\AppData\Roaming\qyEytITFs.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp395D.tmpJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@18/7@0/0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,20_2_00418073
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_na