Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL_AWB 51887788299___pdf.exe

Overview

General Information

Sample Name:DHL_AWB 51887788299___pdf.exe
Analysis ID:504577
MD5:c453335b8c0417bd1c7e7e84278bac71
SHA1:57160596f02d06791805a2324aaec47a2cab9b26
SHA256:0a0e7c81912b02e6ec1c7fbb338f4ef200e23d441d57c692cc88fef616593f0d
Tags:DHLexeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Detected unpacking (changes PE section rights)
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DHL_AWB 51887788299___pdf.exe (PID: 5288 cmdline: 'C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe' MD5: C453335B8C0417BD1C7E7E84278BAC71)
    • schtasks.exe (PID: 1380 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL_AWB 51887788299___pdf.exe (PID: 1480 cmdline: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe MD5: C453335B8C0417BD1C7E7E84278BAC71)
      • vbc.exe (PID: 3388 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 4960 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x147b0:$a1: logins.json
  • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x14f34:$s4: \mozsqlite3.dll
  • 0x137a4:$s5: SMTP Password
00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x87e0e:$s1: HawkEye Keylogger
      • 0x87e77:$s1: HawkEye Keylogger
      • 0x81251:$s2: _ScreenshotLogger
      • 0x8121e:$s3: _PasswordStealer
      00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        32.2.vbc.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x131b0:$a1: logins.json
        • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x13934:$s4: \mozsqlite3.dll
        • 0x121a4:$s5: SMTP Password
        32.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x131b0:$a1: logins.json
          • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x13934:$s4: \mozsqlite3.dll
          • 0x121a4:$s5: SMTP Password
          19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            32.2.vbc.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x147b0:$a1: logins.json
            • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x14f34:$s4: \mozsqlite3.dll
            • 0x137a4:$s5: SMTP Password
            Click to see the 46 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: DHL_AWB 51887788299___pdf.exeVirustotal: Detection: 30%Perma Link
            Source: DHL_AWB 51887788299___pdf.exeReversingLabs: Detection: 20%
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\qyEytITFs.exeReversingLabs: Detection: 20%
            Machine Learning detection for sampleShow sources
            Source: DHL_AWB 51887788299___pdf.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\qyEytITFs.exeJoe Sandbox ML: detected
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

            Compliance:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeUnpacked PE file: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack
            Source: DHL_AWB 51887788299___pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: DHL_AWB 51887788299___pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmp, vbc.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: vbc.exe, 00000014.00000002.309931306.0000000002330000.00000004.00000001.sdmpString found in binary or memory: =130&idt=131&shv=r20190624&cbv=r20190131&saldr=aa&correlator=4425631041969&frm=23&ife=5&pv=2&ga_vid=1110928477.1561666108&ga_sid=1561666108&ga_hid=1967216909&ga_fc=0&icsg=10917&nhd=1&dssz=12&mdo=0&mso=32&u_tz=-420&u_his=1&u_java=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_nplug=1&u_nmime=2&adx=78&ady=161&biw=784&bih=554&isw=970&ish=250&ifk=2845738568&scr_x=0&scr_y=0&eid=20199336%2C21060853&oid=3&rx=0&eae=2&fc=656&docm=11&brdim=122%2C275%2C36%2C36%2C1280%2C%2C800%2C640%2C970%2C250&vis=1&rsz=o%7Co%7CeE%7C&abl=NS&pfx=0&fu=1044&bc=1&ifi=1&uci=1.egua8lgfmrmp&dtd=178https://googleads.g.doubleclick.net/pagead/adshttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000014.00000002.309931306.0000000002330000.00000004.00000001.sdmpString found in binary or memory: =130&idt=131&shv=r20190624&cbv=r20190131&saldr=aa&correlator=4425631041969&frm=23&ife=5&pv=2&ga_vid=1110928477.1561666108&ga_sid=1561666108&ga_hid=1967216909&ga_fc=0&icsg=10917&nhd=1&dssz=12&mdo=0&mso=32&u_tz=-420&u_his=1&u_java=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_nplug=1&u_nmime=2&adx=78&ady=161&biw=784&bih=554&isw=970&ish=250&ifk=2845738568&scr_x=0&scr_y=0&eid=20199336%2C21060853&oid=3&rx=0&eae=2&fc=656&docm=11&brdim=122%2C275%2C36%2C36%2C1280%2C%2C800%2C640%2C970%2C250&vis=1&rsz=o%7Co%7CeE%7C&abl=NS&pfx=0&fu=1044&bc=1&ifi=1&uci=1.egua8lgfmrmp&dtd=178https://googleads.g.doubleclick.net/pagead/adshttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: bhv360E.tmp.20.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
            Source: bhv360E.tmp.20.drString found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html
            Source: bhv360E.tmp.20.drString found in binary or memory: http://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-AAAAid7__f_
            Source: bhv360E.tmp.20.drString found in binary or memory: http://amplify-imp.outbrain.com/pixel?p=nlV1YHXXXKgnJTkmjxGkpD86h377hQIinq23IJiX9nqxEkupAtbFH4fSP0Iz
            Source: bhv360E.tmp.20.drString found in binary or memory: http://b1-use2.zemanta.com/bidder/win/outbrainrtb/c333bcb0-98dc-11e9-8919-320929a4a620/0.564833/3F66
            Source: bhv360E.tmp.20.drString found in binary or memory: http://b1t-use2.zemanta.com/t/imp/impression/FZV2QWU7KWGCXF6REQZNFCRJIZ4GXAXBRWOOIKPCGXHSIEOKHUJBTWL
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cdn.adnxs.com/v/s/169/trk.js
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cdn.taboola.com/TaboolaCookieSyncScript.js
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cm.adform.net/pixel?adform_pid=16&adform_pc=3011883223893104794
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
            Source: vbc.exe, 00000014.00000003.308406999.0000000002345000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=true0&twa=1&s
            Source: bhv360E.tmp.20.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.globalsign.com/root.crl0V
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g5.crl0/
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g5.crl0L
            Source: bhv360E.tmp.20.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: bhv360E.tmp.20.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
            Source: bhv360E.tmp.20.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=148&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fs
            Source: bhv360E.tmp.20.drString found in binary or memory: http://e1.emxdgt.com/cs?d=d1&uid=3011883223893104794
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: http://ib.adnxs.com/async_usersync_file
            Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: http://ib.adnxs.com/getuid?http://s.amazon-adsystem.com/ecm3?id=$UID&ex=appnexus.com
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwN
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmM
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjM1OWYyYmUyYWEzNmM5ZGIxOWNkODJhMjgxMTNiZjk2MDliN
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU1YWFlM2E2Yzk0NjI5ZTJjNzIwNTg1NTAyOWJhYWYwZmIxM
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVlOTU1MDFkNzMwNDkzY2MzOWM0MzkzNmI4MTUzMTlhYTQ2O
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImE2Y2FkYjk5YjFhZTM3OGRiYjNlYjY3YzUxMTk0YzRkM2ViZ
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
            Source: bhv360E.tmp.20.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZ
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsWyr?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuMD0?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBGjoVB?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbOGs?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBSDdmG?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVBUge?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.comodoca.com09
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0:
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0B
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0E
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0F
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0K
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0M
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0R
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.msocsp.com0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://ocsp2.globalsign.com/cloudsslsha2g30V
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pagead2.googlesyndication.com/pagead/js/r20190624/r20190131/show_ads_impl.js
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&euconsent=BOi01ZPOi01ZPAcABBENB4-AAA
            Source: bhv360E.tmp.20.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-
            Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: http://s.amazon-adsystem.com/v3/pr?exlist=an&fv=1.0&a=cm&cm3ppd=1
            Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: http://s.amazon-adsystem.com/x/da2e6c890e6e3636
            Source: bhv360E.tmp.20.drString found in binary or memory: http://sb.scorecardresearch.com/beacon.js
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: bhv360E.tmp.20.drString found in binary or memory: http://secure.globalsign.com/cacert/cloudsslsha2g3.crt06
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/8c/865070.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/95/8bd8bf.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsWyr.img?h=75&w=100&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuMD0.img?h=333&w=311
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=75&w=100&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=75&w=100&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBGjoVB.img?h=50&w=50&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbOGs.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPRPvf.img?h=50&w=50&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBSDdmG.img?h=50&w=50&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBTrj40.img?h=50&w=50&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
            Source: bhv360E.tmp.20.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
            Source: bhv360E.tmp.20.drString found in binary or memory: http://t.wayfair.com/a/vendor_sync/user?vendor_id=1&uid=3011883223893104794&t=1
            Source: bhv360E.tmp.20.drString found in binary or memory: http://trc.taboola.com/p3p.xml
            Source: bhv360E.tmp.20.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.266504386.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.3k
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.260901116.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258915657.0000000007CA6000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259081110.0000000007C71000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comJ
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259567122.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259272180.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC5jd
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comV
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comXj
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comal
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259130153.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comof
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comt-p
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com-
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264147155.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262542099.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/-
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263417417.0000000007C77000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html-
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263880576.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0.
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262993691.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersR
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263933123.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersT
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264241479.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262993691.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersz
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commf
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264280275.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitul
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueom
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258240534.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.ch
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258199458.0000000007CA5000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257920534.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258702940.0000000007CA5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257466443.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/fo
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257920534.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258240534.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264908027.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264908027.0000000007C6D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/Y
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264991059.0000000007C84000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264967218.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-d
            Source: bhv360E.tmp.20.drString found in binary or memory: http://www.googleadservices.com/pagead/p3p.xml
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: bhv360E.tmp.20.drString found in binary or memory: http://www.msn.com
            Source: bhv360E.tmp.20.drString found in binary or memory: http://www.msn.com/
            Source: vbc.exe, 00000014.00000003.308065135.000000000231A000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
            Source: bhv360E.tmp.20.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
            Source: bhv360E.tmp.20.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
            Source: vbc.exe, 00000014.00000002.309421865.000000000019C000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: vbc.exe, vbc.exe, 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.255713374.0000000007C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com$
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.255713374.0000000007C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comno
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.260961497.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krFZ
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krhy/
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krom
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.259768560.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.258643634.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comBl
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256153678.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256102665.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netaTr
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.nete
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256102665.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netlic
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netlice
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262272352.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264329107.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dePw
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262631021.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.decw
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.262272352.0000000007C84000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dei
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: bhv360E.tmp.20.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.310029618.00000000028DC000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
            Source: bhv360E.tmp.20.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt
            Source: vbc.exe, 00000014.00000003.307266109.000000000232E000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
            Source: bhv360E.tmp.20.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
            Source: bhv360E.tmp.20.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
            Source: bhv360E.tmp.20.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://api.taboola.com/1.2/json/taboola-usersync/user.sync?app.type=desktop&app.apikey=e60e3b54fc66
            Source: bhv360E.tmp.20.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
            Source: bhv360E.tmp.20.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
            Source: vbc.exe, 00000014.00000003.308065135.000000000231A000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.ne
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: bhv360E.tmp.20.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: vbc.exe, 00000014.00000003.307288341.0000000002338000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307315523.0000000002338000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307384773.000000000233A000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1res://C:
            Source: bhv360E.tmp.20.drString found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
            Source: bhv360E.tmp.20.drString found in binary or memory: https://cvision.media.net/new/286x175/2/79/227/59/931bcbc9-c308-445b-ac87-70a69b051455.jpg?v=9
            Source: bhv360E.tmp.20.drString found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
            Source: bhv360E.tmp.20.drString found in binary or memory: https://cvision.media.net/new/300x194/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
            Source: bhv360E.tmp.20.drString found in binary or memory: https://cvision.media.net/new/300x300/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9
            Source: bhv360E.tmp.20.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
            Source: bhv360E.tmp.20.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
            Source: bhv360E.tmp.20.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBEB4CB72
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:300
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmEU9fBBc-.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOlCnqEu92Fr1MmSU5fBBc-.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v19/KFOmCnqEu92Fr1Mu4mxM.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: bhv360E.tmp.20.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7064439419818173&output=html&h=250&twa=
            Source: vbc.exe, 00000014.00000003.307332281.0000000002345000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/adsclient=ca-pub-7064439419818173&output=html&h=250&twa=1
            Source: vbc.exe, 00000014.00000002.309931306.0000000002330000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/adshttp://cookies.onetrust.mgr.consensu.org/?name=euconse
            Source: bhv360E.tmp.20.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/adview?ai=C4ZZc-r8UXcilEM6E-gaA-YLQCODD_YZVtLCoh4gJ8ui0tf
            Source: bhv360E.tmp.20.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
            Source: bhv360E.tmp.20.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
            Source: bhv360E.tmp.20.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
            Source: vbc.exe, 00000014.00000002.309715992.0000000000AA0000.00000004.00000040.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ht66jL
            Source: bhv360E.tmp.20.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.html
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
            Source: bhv360E.tmp.20.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307423141.000000000232A000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.307266109.000000000232E000.00000004.00000001.sdmp, vbc.exe, 00000014.00000003.308043717.00000000028DB000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wre
            Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1561640951&rver=7.0.6730.0&wp=l
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: bhv360E.tmp.20.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=c21d6fc334f1b2ec2cf4d2cbc4199764_4535_1561640954843
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=cadd7d1b12e34ff71b0237f3627e8ef3_4535_1561640955067
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mcdp-chidc2.outbrain.com/l?token=e2c41a910c7be90243b349629cd840b2_4535_1561640955327
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
            Source: bhv360E.tmp.20.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
            Source: bhv360E.tmp.20.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
            Source: bhv360E.tmp.20.drString found in binary or memory: https://p.rfihub.com/cm?in=1&pub=345&userid=3011883223893104794
            Source: bhv360E.tmp.20.drString found in binary or memory: https://pagead2.googlesyndication.com/pub-config/r20160913/ca-pub-7064439419818173.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://pki.goog/repository/0
            Source: bhv360E.tmp.20.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
            Source: bhv360E.tmp.20.drString found in binary or memory: https://pr-bh.ybp.yahoo.com/sync/msn/0D4108E9D28A6B29364F0561D37B6A29
            Source: bhv360E.tmp.20.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
            Source: bhv360E.tmp.20.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: bhv360E.tmp.20.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
            Source: bhv360E.tmp.20.drString found in binary or memory: https://secure.comodo.com/CPS0
            Source: bhv360E.tmp.20.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=9a5be529d6034927bda092231704a93b&c=MSN&d=http%3A%2F%2Fwww.msn
            Source: bhv360E.tmp.20.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
            Source: bhv360E.tmp.20.drString found in binary or memory: https://sync.outbrain.com/cookie-sync?p=medianet&uid=2046425540973639000V10
            Source: bhv360E.tmp.20.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/abg_lite.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/m_js_controller.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/qs_click_protection.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20190624/r20110914/client/window_focus.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://tpc.googlesyndication.com/simgad/1034445299425550758?w=300&h=300
            Source: bhv360E.tmp.20.drString found in binary or memory: https://widgets.outbrain.com/
            Source: vbc.exe, 00000014.00000003.308055603.000000000232D000.00000004.00000001.sdmpString found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSo
            Source: bhv360E.tmp.20.drString found in binary or memory: https://widgets.outbrain.com/widgetOBUserSync/obUserSync.html
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=892565928.1601478348
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
            Source: vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drString found in binary or memory: https://www.google.com/pagead/drt/ui
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js?cb=%2Fr20100101
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd_listener.js?cache=r20110914
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
            Source: bhv360E.tmp.20.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 32.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 32.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 32.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 32.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D0461
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D1BD3
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D19E6
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D1F08
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D32F8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D3308
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D1652
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D0639
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D16D6
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D1764
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D1715
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D27F9
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D17BE
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D0553
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D2808
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D18AA
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D1C11
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D1CB4
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_0932AD20
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_09320040
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_09324890
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_09324880
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC10F0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC50B0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC2068
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC7003
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC1390
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC04E5
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC9918
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC0C48
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC3F63
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC9F7B
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC2059
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC4178
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC4175
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC3250
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC7208
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC1381
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC05ED
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC05A6
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC3568
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC0562
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC3563
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC4528
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC4525
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC053B
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC36E8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC36E4
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC87B0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC48DD
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC48E0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC5880
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC7850
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC7860
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC587F
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC29F8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC29F4
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC9917
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC0C40
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC8E20
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_056315DB
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05631415
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_056314DD
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05630778
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05630EA8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05631295
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05631174
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05631134
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05630351
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0563170B
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05631667
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0563125A
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_056312D5
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05644310
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_056462B8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05644C00
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0564FBD0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05640006
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05649080
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05649090
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0564C2C8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0564C2B8
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05643FC0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05648B6B
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05648B70
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_0564FBC0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_004063BB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0044900F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_004042EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00414281
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00410291
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00415624
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0041668D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040477F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040487C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0043589B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0043BA9D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0043FBD3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_00404DE5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_00404E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_00404EC7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_00404F58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_0040BF6B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 87 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 32 times
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05631398 NtUnmapViewOfSection,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
            Source: DHL_AWB 51887788299___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.303059257.00000000095D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000003.280872140.0000000009AF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 0000000C.00000002.289326467.0000000000482000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 0000000E.00000002.290117457.0000000000342000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 0000000F.00000002.291079753.00000000003E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000011.00000002.292237371.0000000000342000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeBinary or memory string: OriginalFilename vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525268598.0000000000D0A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000000.292783353.00000000004C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeBinary or memory string: OriginalFilenameIClientResponseChannelSinkSta.exe4 vs DHL_AWB 51887788299___pdf.exe
            Source: DHL_AWB 51887788299___pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: qyEytITFs.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DHL_AWB 51887788299___pdf.exeVirustotal: Detection: 30%
            Source: DHL_AWB 51887788299___pdf.exeReversingLabs: Detection: 20%
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeFile read: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeJump to behavior
            Source: DHL_AWB 51887788299___pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe 'C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe'
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeFile created: C:\Users\user\AppData\Roaming\qyEytITFs.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp395D.tmpJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@18/7@0/0
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMutant created: \Sessions\1\BaseNamedObjects\FBcolUf
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_01
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: DHL_AWB 51887788299___pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: DHL_AWB 51887788299___pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmp, vbc.exe

            Data Obfuscation:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeUnpacked PE file: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeUnpacked PE file: 0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_004F6E4B push ebx; ret
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_004F5DA9 push ds; ret
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 0_2_026D06E9 push edi; ret
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 12_2_00486E4B push ebx; ret
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 12_2_00485DA9 push ds; ret
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 14_2_00346E4B push ebx; ret
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 14_2_00345DA9 push ds; ret
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 15_2_003E6E4B push ebx; ret
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 15_2_003E5DA9 push ds; ret
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_004C6E4B push ebx; ret
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_004C5DA9 push ds; ret
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC04E0 push eax; retf
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC4519 pushad ; retf
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_00CC28D0 push esp; retf
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05646F8B push 8BD08BFBh; retf
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeCode function: 19_2_05645851 push 5500CFFEh; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00444975 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00444B90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00444B90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00448E74 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0042CF44 push ebx; retf 0042h
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_00412341 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_00412360 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_00412360 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: initial sampleStatic PE information: section name: .text entropy: 7.8197081023
            Source: initial sampleStatic PE information: section name: .text entropy: 7.8197081023
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeFile created: C:\Users\user\AppData\Roaming\qyEytITFs.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.DHL_AWB 51887788299___pdf.exe.2854774.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 3092Thread sleep time: -45386s >= -30000s
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 3156Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 1956Thread sleep count: 128 > 30
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 1956Thread sleep time: -128000s >= -30000s
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 3372Thread sleep count: 145 > 30
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe TID: 3372Thread sleep time: -145000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0041829C memset,GetSystemInfo,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeThread delayed: delay time: 45386
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeThread delayed: delay time: 922337203685477
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: bhv360E.tmp.20.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:EE4890C5-90AE-59E2-5AC5-C20AA6654592&ctry=US&time=20211018T191808Z&lc=en-US&pl=en-US&idtp=mid&uid=d9fcfe42-b5d5-4629-ac66-c2605ea824c4&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=97dd00128f80467a9902a6b11acc148a&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1215312&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1215312&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3E5008
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 37B008
            .NET source code references suspicious native API functionsShow sources
            Source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp'
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp'
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525757846.0000000001290000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525757846.0000000001290000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525757846.0000000001290000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.525757846.0000000001290000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_004083A1 GetVersionExW,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 32_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: avguard.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: avp.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: avgui.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: mbam.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 32.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 32.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.DHL_AWB 51887788299___pdf.exe.422dbda.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.72d834a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.3a01990.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000003.294671201.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.528093886.0000000003965000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5890.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.7280000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.7280345.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.3.DHL_AWB 51887788299___pdf.exe.41d5bd5.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.3965950.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000003.294671201.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.528093886.0000000003965000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DHL_AWB 51887788299___pdf.exe.429a240.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 5288, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: DHL_AWB 51887788299___pdf.exe PID: 1480, type: MEMORYSTR
            Detected HawkEye RatShow sources
            Source: DHL_AWB 51887788299___pdf.exe, 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Source: DHL_AWB 51887788299___pdf.exe, 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation111Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API11Scheduled Task/Job1Process Injection412Deobfuscate/Decode Files or Information11Credentials in Registry2Account Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Credentials In Files1File and Directory Discovery2SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSystem Information Discovery19Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery331SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection412DCSyncProcess Discovery4Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 504577 Sample: DHL_AWB 51887788299___pdf.exe Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 14 other signatures 2->41 7 DHL_AWB 51887788299___pdf.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\qyEytITFs.exe, PE32 7->27 dropped 29 C:\Users\...\qyEytITFs.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp395D.tmp, XML 7->31 dropped 33 C:\...\DHL_AWB 51887788299___pdf.exe.log, ASCII 7->33 dropped 51 Injects a PE file into a foreign processes 7->51 11 DHL_AWB 51887788299___pdf.exe 5 7->11         started        14 schtasks.exe 1 7->14         started        16 DHL_AWB 51887788299___pdf.exe 7->16         started        18 3 other processes 7->18 signatures5 process6 signatures7 53 Writes to foreign memory regions 11->53 55 Allocates memory in foreign processes 11->55 57 Sample uses process hollowing technique 11->57 59 Injects a PE file into a foreign processes 11->59 20 vbc.exe 1 11->20         started        23 vbc.exe 11->23         started        25 conhost.exe 14->25         started        process8 signatures9 43 Tries to steal Mail credentials (via file registry) 20->43 45 Tries to harvest and steal browser information (history, passwords, etc) 20->45 47 Tries to steal Instant Messenger accounts or passwords 23->47 49 Tries to steal Mail credentials (via file access) 23->49

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DHL_AWB 51887788299___pdf.exe30%VirustotalBrowse
            DHL_AWB 51887788299___pdf.exe20%ReversingLabsByteCode-MSIL.Trojan.Taskun
            DHL_AWB 51887788299___pdf.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\qyEytITFs.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\qyEytITFs.exe20%ReversingLabsByteCode-MSIL.Trojan.Taskun

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            19.2.DHL_AWB 51887788299___pdf.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
            20.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
            0.2.DHL_AWB 51887788299___pdf.exe.4f0000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.goodfont.co.kr-d0%Avira URL Cloudsafe
            https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
            https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
            http://www.tiro.comBl0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.typography.netlic0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.comof0%URL Reputationsafe
            http://www.sandoll.co.krhy/0%Avira URL Cloudsafe
            http://www.sajatypeworks.com$0%Avira URL Cloudsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
            http://www.carterandcone.comt-p0%Avira URL Cloudsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwN0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            https://aefd.nelreports.net/api/report?cat=bingth0%URL Reputationsafe
            http://www.sandoll.co.krFZ0%Avira URL Cloudsafe
            http://www.typography.netD0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.carterandcone.comXj0%Avira URL Cloudsafe
            http://www.carterandcone.comC0%URL Reputationsafe
            http://www.fontbureau.comB.TTF0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmM0%Avira URL Cloudsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM0%Avira URL Cloudsafe
            http://www.carterandcone.comV0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.carterandcone.comJ0%Avira URL Cloudsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZ0%Avira URL Cloudsafe
            http://pomf.cat/upload.php0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/Y0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/fo0%Avira URL Cloudsafe
            https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://googleads.g.doubleclick.net/pagead/html/r20190624/r20190131/zrt_lookup.htmlbhv360E.tmp.20.drfalse
              		high
              http://www.goodfont.co.kr-dDHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9bhv360E.tmp.20.drfalse
                		high
                http://www.fontbureau.com/designers/frere-jones.html-DHL_AWB 51887788299___pdf.exe, 00000000.00000003.263417417.0000000007C77000.00000004.00000001.sdmpfalse
                  		high
                  http://www.msn.combhv360E.tmp.20.drfalse
                    		high
                    http://www.fontbureau.com/designersDHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.264147155.0000000007C84000.00000004.00000001.sdmpfalse
                      		high
                      http://www.nirsoft.netvbc.exe, 00000014.00000002.309421865.000000000019C000.00000004.00000001.sdmpfalse
                        		high
                        https://deff.nelreports.net/api/report?cat=msnbhv360E.tmp.20.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://contextual.media.net/__media__/js/util/nrrV9140.jsbhv360E.tmp.20.drfalse
                          		high
                          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.310029618.00000000028DC000.00000004.00000001.sdmp, bhv360E.tmp.20.drfalse
                            		high
                            https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhv360E.tmp.20.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhv360E.tmp.20.drfalse
                              		high
                              https://www.google.com/chrome/bhv360E.tmp.20.drfalse
                                		high
                                https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1bhv360E.tmp.20.drfalse
                                  		high
                                  https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gbhv360E.tmp.20.drfalse
                                    		high
                                    http://www.tiro.comBlDHL_AWB 51887788299___pdf.exe, 00000000.00000003.258643634.0000000007C84000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://cvision.media.net/new/286x175/2/79/227/59/931bcbc9-c308-445b-ac87-70a69b051455.jpg?v=9bhv360E.tmp.20.drfalse
                                      		high
                                      http://www.galapagosdesign.com/DPleaseDHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netlicDHL_AWB 51887788299___pdf.exe, 00000000.00000003.256102665.0000000007C84000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnDHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_AWB 51887788299___pdf.exe, 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmpfalse
                                        		high
                                        https://www.google.com/chrome/static/images/fallback/icon-file-download.jpgbhv360E.tmp.20.drfalse
                                          		high
                                          http://cdn.adnxs.com/v/s/169/trk.jsbhv360E.tmp.20.drfalse
                                            		high
                                            http://s.amazon-adsystem.com/v3/pr?exlist=an&fv=1.0&a=cm&cm3ppd=1vbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drfalse
                                              		high
                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhv360E.tmp.20.drfalse
                                                		high
                                                https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.cbhv360E.tmp.20.drfalse
                                                  		high
                                                  https://p.rfihub.com/cm?in=1&pub=345&userid=3011883223893104794bhv360E.tmp.20.drfalse
                                                    		high
                                                    https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhv360E.tmp.20.drfalse
                                                      		high
                                                      https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhv360E.tmp.20.drfalse
                                                        		high
                                                        https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookiebhv360E.tmp.20.drfalse
                                                          		high
                                                          https://pki.goog/repository/0bhv360E.tmp.20.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhv360E.tmp.20.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://cm.adform.net/pixel?adform_pid=16&adform_pc=3011883223893104794bhv360E.tmp.20.drfalse
                                                            		high
                                                            http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhv360E.tmp.20.drfalse
                                                              		high
                                                              http://cdn.taboola.com/TaboolaCookieSyncScript.jsbhv360E.tmp.20.drfalse
                                                                		high
                                                                http://www.carterandcone.comlDHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.msn.com/bhv360E.tmp.20.drfalse
                                                                  		high
                                                                  http://www.carterandcone.comofDHL_AWB 51887788299___pdf.exe, 00000000.00000003.259130153.0000000007C84000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhv360E.tmp.20.drfalse
                                                                    		high
                                                                    http://www.sandoll.co.krhy/DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhv360E.tmp.20.drfalse
                                                                      		high
                                                                      https://www.google.com/accounts/serviceloginvbc.exefalse
                                                                        		high
                                                                        http://trc.taboola.com/p3p.xmlbhv360E.tmp.20.drfalse
                                                                          		high
                                                                          http://www.sajatypeworks.com$DHL_AWB 51887788299___pdf.exe, 00000000.00000003.256182448.0000000007C84000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		low
                                                                          http://crl.pki.goog/gsr2/gsr2.crl0?bhv360E.tmp.20.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://pki.goog/gsr2/GTSGIAG3.crt0)bhv360E.tmp.20.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhv360E.tmp.20.drfalse
                                                                            		high
                                                                            http://www.carterandcone.comt-pDHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxMmRiZGQ2ZTMxY2I0MTYxNmZjOWNjNjExZDU3MzhiY2UwNbhv360E.tmp.20.drfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.founder.com.cn/cn/bTheDHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://aefd.nelreports.net/api/report?cat=bingthbhv360E.tmp.20.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.google.com/chrome/static/images/homepage/google-canary.pngbhv360E.tmp.20.drfalse
                                                                              		high
                                                                              http://ib.adnxs.com/getuid?http://s.amazon-adsystem.com/ecm3?id=$UID&ex=appnexus.comvbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drfalse
                                                                                		high
                                                                                https://sync.outbrain.com/cookie-sync?p=medianet&uid=2046425540973639000V10bhv360E.tmp.20.drfalse
                                                                                  		high
                                                                                  https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.pngbhv360E.tmp.20.drfalse
                                                                                    		high
                                                                                    https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhv360E.tmp.20.drfalse
                                                                                      		high
                                                                                      https://www.google.com/chrome/static/js/main.v2.min.jsbhv360E.tmp.20.drfalse
                                                                                        		high
                                                                                        https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpgbhv360E.tmp.20.drfalse
                                                                                          		high
                                                                                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhv360E.tmp.20.drfalse
                                                                                            		high
                                                                                            http://www.sandoll.co.krFZDHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215vbc.exe, 00000014.00000003.307250738.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drfalse
                                                                                              		high
                                                                                              http://www.typography.netDDHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://fontfabrik.comDHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://www.carterandcone.comXjDHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.carterandcone.comCDHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://www.fontbureau.comB.TTFDHL_AWB 51887788299___pdf.exe, 00000000.00000003.294779789.0000000007C66000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhv360E.tmp.20.drfalse
                                                                                                		high
                                                                                                https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhv360E.tmp.20.drfalse
                                                                                                  		high
                                                                                                  http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxOGQyZTYxNTQ5NjE3M2VjYzlkYWMyMWExY2Q4ZDFlYTRmMbhv360E.tmp.20.drfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkMbhv360E.tmp.20.drfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.carterandcone.comVDHL_AWB 51887788299___pdf.exe, 00000000.00000003.259496069.0000000007C84000.00000004.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.fonts.comDHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.sandoll.co.krDHL_AWB 51887788299___pdf.exe, 00000000.00000003.257379867.0000000007C70000.00000004.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0bhv360E.tmp.20.drfalse
                                                                                                      		high
                                                                                                      http://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-AAAAid7__f_bhv360E.tmp.20.drfalse
                                                                                                        		high
                                                                                                        http://www.urwpp.deDHL_AWB 51887788299___pdf.exe, 00000000.00000003.262272352.0000000007C84000.00000004.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://www.carterandcone.comJDHL_AWB 51887788299___pdf.exe, 00000000.00000003.259081110.0000000007C71000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&euconsent=BOi01ZPOi01ZPAcABBENB4-AAAbhv360E.tmp.20.drfalse
                                                                                                          		high
                                                                                                          http://pr-bh.ybp.yahoo.com/sync/msft/3011883223893104794?gdpr=1&gdpr_consent=BOi01ZPOi01ZPAcABBENB4-bhv360E.tmp.20.drfalse
                                                                                                            		high
                                                                                                            https://www.google.com/pagead/drt/uivbc.exe, 00000014.00000003.307412763.0000000002323000.00000004.00000001.sdmp, bhv360E.tmp.20.drfalse
                                                                                                              		high
                                                                                                              http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ3OGFmNTY2YzEzMzI1ZTIwNzU3Y2FhOTg3NTNjNGRmMzYwZbhv360E.tmp.20.drfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://widgets.outbrain.com/widgetOBUserSync/obUserSync.htmlbhv360E.tmp.20.drfalse
                                                                                                                		high
                                                                                                                http://pomf.cat/upload.phpDHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://www.google.com/chrome/static/js/installer.min.jsbhv360E.tmp.20.drfalse
                                                                                                                  		high
                                                                                                                  http://www.galapagosdesign.com/YDHL_AWB 51887788299___pdf.exe, 00000000.00000003.264908027.0000000007C6D000.00000004.00000001.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://www.google.com/chrome/static/images/download-browser/pixel_tablet.pngbhv360E.tmp.20.drfalse
                                                                                                                    		high
                                                                                                                    https://cvision.media.net/new/300x194/2/100/237/97/93b3dc40-172c-479f-bf5a-5d49e8538bf9.jpg?v=9bhv360E.tmp.20.drfalse
                                                                                                                      		high
                                                                                                                      http://www.founder.com.cn/cn/foDHL_AWB 51887788299___pdf.exe, 00000000.00000003.257466443.0000000007C84000.00000004.00000001.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://bot.whatismyipaddress.com/DHL_AWB 51887788299___pdf.exe, 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv360E.tmp.20.drfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://www.google.com/chrome/static/images/homepage/google-beta.pngbhv360E.tmp.20.drfalse
                                                                                                                          		high
                                                                                                                          http://www.msn.com/de-ch/?ocid=iehpbhv360E.tmp.20.drfalse
                                                                                                                            		high
                                                                                                                            https://www.google.com/chrome/static/images/icon-file-download.svgbhv360E.tmp.20.drfalse
                                                                                                                              		high
                                                                                                                              http://www.fontbureau.com/designers/cabarga.htmlNDHL_AWB 51887788299___pdf.exe, 00000000.00000002.302149117.0000000008EF2000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9bhv360E.tmp.20.drfalse
                                                                                                                                  		high
                                                                                                                                  http://www.founder.com.cn/cnDHL_AWB 51887788299___pdf.exe, 00000000.00000003.258199458.0000000007CA5000.00000004.00000001.sdmp, DHL_AWB 51887788299___pdf.exe, 00000000.00000003.257920534.0000000007C84000.00000004.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://www.googletagservices.com/activeview/js/current/osd.js?cb=%2Fr20100101bhv360E.tmp.20.drfalse
                                                                                                                                    		high
                                                                                                                                    http://acdn.adnxs.com/dmp/async_usersync.htmlbhv360E.tmp.20.drfalse
                                                                                                                                      		high
                                                                                                                                      https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1bhv360E.tmp.20.drfalse
                                                                                                                                        		high
                                                                                                                                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47bhv360E.tmp.20.drfalse
                                                                                                                                          		high

                                                                                                                                          Contacted IPs

                                                                                                                                          No contacted IP infos

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                          Analysis ID:504577
                                                                                                                                          Start date:18.10.2021
                                                                                                                                          Start time:12:17:25
                                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 12m 19s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:light
                                                                                                                                          Sample file name:DHL_AWB 51887788299___pdf.exe
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                          Number of analysed new started processes analysed:34
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • HDC enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.phis.troj.spyw.evad.winEXE@18/7@0/0
                                                                                                                                          EGA Information:Failed
                                                                                                                                          HDC Information:
                                                                                                                                          • Successful, ratio: 8.4% (good quality ratio 6.8%)
                                                                                                                                          • Quality average: 64.4%
                                                                                                                                          • Quality standard deviation: 38.5%
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 98%
                                                                                                                                          • Number of executed functions: 0
                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Adjust boot time
                                                                                                                                          • Enable AMSI
                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                          Warnings:
                                                                                                                                          Show All
                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                          • Excluded IPs from analysis (whitelisted): 20.50.102.62, 204.79.197.200, 13.107.21.200, 95.100.218.79, 95.100.216.89, 20.54.110.249, 40.112.88.60, 40.91.112.76, 2.20.178.33, 2.20.178.24
                                                                                                                                          • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wus2-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          12:18:33API Interceptor2x Sleep call for process: DHL_AWB 51887788299___pdf.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          No context

                                                                                                                                          Domains

                                                                                                                                          No context

                                                                                                                                          ASN

                                                                                                                                          No context

                                                                                                                                          JA3 Fingerprints

                                                                                                                                          No context

                                                                                                                                          Dropped Files

                                                                                                                                          No context

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_AWB 51887788299___pdf.exe.log
                                                                                                                                          Process:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:modified
                                                                                                                                          Size (bytes):1216
                                                                                                                                          Entropy (8bit):5.355304211458859
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                          Malicious:true
                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                                          C:\Users\user\AppData\Local\Temp\97695d7d-f686-3bef-0bdf-699df2eb7081
                                                                                                                                          Process:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):88
                                                                                                                                          Entropy (8bit):5.361372635874905
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:/o3Q2QffK1zJcNXCDYnOUEU8ARZEYY:/yjQfi1uN84Eko
                                                                                                                                          MD5:C0E51F45B53C7238AF5A1F4B1DCF1931
                                                                                                                                          SHA1:846FD39DE731D6C9D2829D586AD009F13FB25954
                                                                                                                                          SHA-256:F4A352FDA42C6B11EF30471C653020667966DBE93151CBC42BBC391388CD97E5
                                                                                                                                          SHA-512:6869CD38287B7F44CF3D1FABA93A20DC6BD5833E1EAAAAB4FC6C2D713646A9B5E0A3907D6D2E55B396AF3DA3E0ADDA4220F3E441B8FCE7BC392E47A6632E578A
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: vMSR5XyDGaw1S/nFeKjG9z/ZXgLmXlt/JGB9hvSuvginM1+wNBRAb4BSxMm6GSOXqKY5eXHQMTtNvXr1HIdW1A==
                                                                                                                                          C:\Users\user\AppData\Local\Temp\bhv360E.tmp
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x29982920, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):26738688
                                                                                                                                          Entropy (8bit):1.0616470367564328
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:g1qhtSFKmL3cCDPf6r0i1cREikolT3YEgI:bsL3c46r4
                                                                                                                                          MD5:5974D181790002AEA45D96C4BEC189AD
                                                                                                                                          SHA1:A9C28C81583ADCD9E3C017F41209F7D7BBD0C539
                                                                                                                                          SHA-256:A529DD54651A9DA03A4E826283726ED580B35392BB8035481419058634A1A162
                                                                                                                                          SHA-512:F0433D4849853CBD7776134EE3D21BB35DCA3E2B94D0DB021594210B945FB99205CF5FF94ABE296AB4A000BB35F333DC025118A5840272E023182D449A84B218
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ).) ... ........9......p*.~.....w7..................................x7......yu.h...........................z........w.............................................................................................._............B.................................................................................................................. .......3....x......................................................................................................................................................................................................................................i..O/....y+.....................'....y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmp395D.tmp
                                                                                                                                          Process:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1658
                                                                                                                                          Entropy (8bit):5.172379903143974
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBtOtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3Ho
                                                                                                                                          MD5:F01606DFFA93B906ADADAF9CCF0BCD82
                                                                                                                                          SHA1:B56CFDFB4D077FD658DE028E5452C3DFE8EA418D
                                                                                                                                          SHA-256:61B3653451D1203EF4DE3F895A820180ED1D20EE43CAD98CA3E690253350F5C8
                                                                                                                                          SHA-512:B2E71A1517F3683932EFA1E2F8FB429F75965B68E9E52F815E36D5839B2B80FFD14C4C03AF1906E2D62C00E860B6BA6D3CC6A5798F0CBEA1A22D601260C6A304
                                                                                                                                          Malicious:true
                                                                                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                          Category:modified
                                                                                                                                          Size (bytes):2
                                                                                                                                          Entropy (8bit):1.0
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Qn:Qn
                                                                                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ..
                                                                                                                                          C:\Users\user\AppData\Roaming\qyEytITFs.exe
                                                                                                                                          Process:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):852480
                                                                                                                                          Entropy (8bit):7.814230472508504
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:FwLm88jyKO+ihkMqxus73XBez9wPDWmiHe/bM+77TBl+67WsjYlu2DLrLXaU:FwLoVOS8YiwP63He/brTBlDzeu
                                                                                                                                          MD5:C453335B8C0417BD1C7E7E84278BAC71
                                                                                                                                          SHA1:57160596F02D06791805A2324AAEC47A2CAB9B26
                                                                                                                                          SHA-256:0A0E7C81912B02E6EC1C7FBB338F4EF200E23D441D57C692CC88FEF616593F0D
                                                                                                                                          SHA-512:95C03192ECA1756435F2580F562A36F6EEAE42415EBD5932A2BDA60DD8107E3415DBFB7BF93D2AEE5120D1CF26A62BF36B3881250C2540654FD26B96FA95473C
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 20%
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....la..............0.............n.... ... ....@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................P.......H...........|...........................................................b.y..n}F2.}(.&zx...Q..2....L......i..tn..p.e.I......8...)..."g.....A.,'....~.H.H..}6..B<..........8N!._..@...Qr.f@c.<V.T..D...f'%.,.>.ua..y..v.."p.W.[!&^....U..Vsl..L.............!.!..>....]i.<U......i...S...>IaQ_Gos"....{...E.6.....*..."/8.T..Ji.O..y....>7.....c.W.x>.`.\N.:Z#,...A.G3.|.0.,...@.....Y..KX.6.;l.\...m.Q..9f.......J....]s.W....'................C!..-.. .$...[Ig.T..
                                                                                                                                          C:\Users\user\AppData\Roaming\qyEytITFs.exe:Zone.Identifier
                                                                                                                                          Process:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):26
                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                          Malicious:true
                                                                                                                                          Preview: [ZoneTransfer]....ZoneId=0

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                          Entropy (8bit):7.814230472508504
                                                                                                                                          TrID:
                                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                          File name:DHL_AWB 51887788299___pdf.exe
                                                                                                                                          File size:852480
                                                                                                                                          MD5:c453335b8c0417bd1c7e7e84278bac71
                                                                                                                                          SHA1:57160596f02d06791805a2324aaec47a2cab9b26
                                                                                                                                          SHA256:0a0e7c81912b02e6ec1c7fbb338f4ef200e23d441d57c692cc88fef616593f0d
                                                                                                                                          SHA512:95c03192eca1756435f2580f562a36f6eeae42415ebd5932a2bda60dd8107e3415dbfb7bf93d2aee5120d1cf26a62bf36b3881250c2540654fd26b96fa95473c
                                                                                                                                          SSDEEP:12288:FwLm88jyKO+ihkMqxus73XBez9wPDWmiHe/bM+77TBl+67WsjYlu2DLrLXaU:FwLoVOS8YiwP63He/brTBlDzeu
                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....la..............0.............n.... ... ....@.. .......................`............@................................

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:00828e8e8686b000

                                                                                                                                          Static PE Info

                                                                                                                                          General

                                                                                                                                          Entrypoint:0x4d176e
                                                                                                                                          Entrypoint Section:.text
                                                                                                                                          Digitally signed:false
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          Subsystem:windows gui
                                                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                          Time Stamp:0x616CD4C5 [Mon Oct 18 01:58:29 2021 UTC]
                                                                                                                                          TLS Callbacks:
                                                                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                                                                          OS Version Major:4
                                                                                                                                          OS Version Minor:0
                                                                                                                                          File Version Major:4
                                                                                                                                          File Version Minor:0
                                                                                                                                          Subsystem Version Major:4
                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                          Entrypoint Preview

                                                                                                                                          Instruction
                                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al

                                                                                                                                          Data Directories

                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd17140x57.text
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000x5d8.rsrc
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000xc.reloc
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                          Sections

                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                          .text0x20000xcf7740xcf800False0.870147778614data7.8197081023IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                          .rsrc0xd20000x5d80x600False0.420572916667data4.12172736374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                          .reloc0xd40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                          Resources

                                                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                                                          RT_VERSION0xd20a00x34cdata
                                                                                                                                          RT_MANIFEST0xd23ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                          Imports

                                                                                                                                          DLLImport
                                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                                          Version Infos

                                                                                                                                          DescriptionData
                                                                                                                                          Translation0x0000 0x04b0
                                                                                                                                          LegalCopyright
                                                                                                                                          Assembly Version2.0.0.0
                                                                                                                                          InternalNameIClientResponseChannelSinkSta.exe
                                                                                                                                          FileVersion2.0.0.0
                                                                                                                                          CompanyName
                                                                                                                                          LegalTrademarks
                                                                                                                                          Comments
                                                                                                                                          ProductNameLocalChat
                                                                                                                                          ProductVersion2.0.0.0
                                                                                                                                          FileDescriptionLocalChat
                                                                                                                                          OriginalFilenameIClientResponseChannelSinkSta.exe

                                                                                                                                          Network Behavior

                                                                                                                                          No network behavior found

                                                                                                                                          Code Manipulations

                                                                                                                                          Statistics

                                                                                                                                          Behavior

                                                                                                                                          Click to jump to process

                                                                                                                                          System Behavior

                                                                                                                                          Analysis Process: DHL_AWB 51887788299___pdf.exe PID: 5288 Parent PID: 4904

                                                                                                                                          General

                                                                                                                                          Start time:12:18:25
                                                                                                                                          Start date:18/10/2021
                                                                                                                                          Path:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:'C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe'
                                                                                                                                          Imagebase:0x4f0000
                                                                                                                                          File size:852480 bytes
                                                                                                                                          MD5 hash:C453335B8C0417BD1C7E7E84278BAC71
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.300702164.000000000466A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.296408700.0000000002809000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.298050605.0000000004009000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          Reputation:low

                                                                                                                                          Analysis Process: schtasks.exe PID: 1380 Parent PID: 5288

                                                                                                                                          General

                                                                                                                                          Start time:12:18:40
                                                                                                                                          Start date:18/10/2021
                                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qyEytITFs' /XML 'C:\Users\user\AppData\Local\Temp\tmp395D.tmp'
                                                                                                                                          Imagebase:0x870000
                                                                                                                                          File size:185856 bytes
                                                                                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          Analysis Process: conhost.exe PID: 5216 Parent PID: 1380

                                                                                                                                          General

                                                                                                                                          Start time:12:18:41
                                                                                                                                          Start date:18/10/2021
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff774ee0000
                                                                                                                                          File size:625664 bytes
                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          Analysis Process: DHL_AWB 51887788299___pdf.exe PID: 5336 Parent PID: 5288

                                                                                                                                          General

                                                                                                                                          Start time:12:18:41
                                                                                                                                          Start date:18/10/2021
                                                                                                                                          Path:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          Imagebase:0x480000
                                                                                                                                          File size:852480 bytes
                                                                                                                                          MD5 hash:C453335B8C0417BD1C7E7E84278BAC71
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:low

                                                                                                                                          Analysis Process: DHL_AWB 51887788299___pdf.exe PID: 1740 Parent PID: 5288

                                                                                                                                          General

                                                                                                                                          Start time:12:18:43
                                                                                                                                          Start date:18/10/2021
                                                                                                                                          Path:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          Imagebase:0x340000
                                                                                                                                          File size:852480 bytes
                                                                                                                                          MD5 hash:C453335B8C0417BD1C7E7E84278BAC71
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:low

                                                                                                                                          Analysis Process: DHL_AWB 51887788299___pdf.exe PID: 4720 Parent PID: 5288

                                                                                                                                          General

                                                                                                                                          Start time:12:18:43
                                                                                                                                          Start date:18/10/2021
                                                                                                                                          Path:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          Imagebase:0x3e0000
                                                                                                                                          File size:852480 bytes
                                                                                                                                          MD5 hash:C453335B8C0417BD1C7E7E84278BAC71
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:low

                                                                                                                                          Analysis Process: DHL_AWB 51887788299___pdf.exe PID: 5216 Parent PID: 5288

                                                                                                                                          General

                                                                                                                                          Start time:12:18:43
                                                                                                                                          Start date:18/10/2021
                                                                                                                                          Path:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          Imagebase:0x340000
                                                                                                                                          File size:852480 bytes
                                                                                                                                          MD5 hash:C453335B8C0417BD1C7E7E84278BAC71
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:low

                                                                                                                                          Analysis Process: DHL_AWB 51887788299___pdf.exe PID: 1480 Parent PID: 5288

                                                                                                                                          General

                                                                                                                                          Start time:12:18:44
                                                                                                                                          Start date:18/10/2021
                                                                                                                                          Path:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:C:\Users\user\Desktop\DHL_AWB 51887788299___pdf.exe
                                                                                                                                          Imagebase:0x4c0000
                                                                                                                                          File size:852480 bytes
                                                                                                                                          MD5 hash:C453335B8C0417BD1C7E7E84278BAC71
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000002.527639915.0000000002A7F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000002.526218473.0000000002971000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000013.00000002.521607657.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000003.294671201.00000000041D5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000003.294671201.00000000041D5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, Author: Florian Roth
                                                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000002.528751258.0000000007280000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000002.528093886.0000000003965000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000002.528093886.0000000003965000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          Reputation:low

                                                                                                                                          Analysis Process: vbc.exe PID: 3388 Parent PID: 1480

                                                                                                                                          General

                                                                                                                                          Start time:12:18:47
                                                                                                                                          Start date:18/10/2021
                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCFD5.tmp'
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:1171592 bytes
                                                                                                                                          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000014.00000002.309474312.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                          Reputation:high

                                                                                                                                          Analysis Process: vbc.exe PID: 4960 Parent PID: 1480

                                                                                                                                          General

                                                                                                                                          Start time:12:19:51
                                                                                                                                          Start date:18/10/2021
                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC9A7.tmp'
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:1171592 bytes
                                                                                                                                          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000020.00000002.438579523.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                          Reputation:high

                                                                                                                                          Disassembly

                                                                                                                                          Code Analysis

                                                                                                                                          Reset < >