Windows Analysis Report DHL_AWB 65335643399___pdf.exe

Overview

General Information

Sample Name: DHL_AWB 65335643399___pdf.exe
Analysis ID: 516538
MD5: 52ef260ef62aae29914f40cb8eaed7ac
SHA1: cba71c49ae1c145c6e9210685be42f4aa24b0e18
SHA256: 752efe9ad078a9be4a82b6f7c2123d58c90a1456287390b50df9e9c3292bc490
Tags: exehawkeye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Detected HawkEye Rat
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: DHL_AWB 65335643399___pdf.exe Virustotal: Detection: 26% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack Avira: Label: TR/Dropper.Gen
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack Avira: Label: TR/Dropper.Gen
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack Avira: Label: TR/Dropper.Gen
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack Avira: Label: TR/Dropper.Gen
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses 32bit PE files
Source: DHL_AWB 65335643399___pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: DHL_AWB 65335643399___pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 8_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 8_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 12_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 12_2_00408CAC

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 4x nop then jmp 07FABE90h 0_2_07FABDB5
Source: vbc.exe, 00000008.00000002.409730528.00000000022B0000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000002.425367759.0000000002240000.00000004.00000001.sdmp String found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000008.00000002.409730528.00000000022B0000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000002.425367759.0000000002240000.00000004.00000001.sdmp String found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 00000011.00000002.458547600.0000000002100000.00000004.00000001.sdmp String found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginZU equals www.facebook.com (Facebook)
Source: vbc.exe, 00000011.00000002.458547600.0000000002100000.00000004.00000001.sdmp String found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginZU equals www.yahoo.com (Yahoo)
Source: vbc.exe, 0000000D.00000002.439941703.0000000000A40000.00000004.00000001.sdmp String found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginn equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000D.00000002.439941703.0000000000A40000.00000004.00000001.sdmp String found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginn equals www.yahoo.com (Yahoo)
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000008.00000003.406082134.00000000022AE000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.424487107.000000000223E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438015449.0000000000A3E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000008.00000003.406082134.00000000022AE000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.424487107.000000000223E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438015449.0000000000A3E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 0000000D.00000003.438830919.0000000000A3E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 0000000D.00000003.438830919.0000000000A3E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.336476043.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://en.w)
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.336076136.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.336007214.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com/
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://google.com/chrome
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0M
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0R
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.349234388.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.agfamonotype.
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.341657296.0000000005D63000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.341284538.0000000005D63000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com.
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.340178685.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comR
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comTC
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comc
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comces
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comcy
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339422429.0000000005D60000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comen
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339531363.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comint8
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339531363.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339904623.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comn-uN
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339720163.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.como.
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343215254.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/R
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344674691.0000000005D7E000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344539855.0000000005D7E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344003681.0000000005D7E000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344241564.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlftwr
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343041958.0000000005D63000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/n
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343959639.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343510616.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers:
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344688385.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343510616.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersA
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.345148561.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersC
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.349140893.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersb
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343118651.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersd
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.344688385.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersm
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343215254.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersp
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.343118651.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersw
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.384884031.0000000001527000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.com=
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.384884031.0000000001527000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comoaj%(-
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338190350.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338273494.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338395162.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/L
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338488811.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnR
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338488811.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnark&
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338273494.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnk
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338488811.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnomp
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.347670969.0000000005D5B000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.346985285.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmg
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338067194.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342647297.0000000005D63000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.346508093.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.0
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://www.msn.com
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 00000008.00000003.403942068.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455444203.00000000020E4000.00000004.00000001.sdmp, bhv7E75.tmp.13.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv7E75.tmp.13.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, 00000008.00000002.406829834.000000000019C000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000002.424903467.000000000019C000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.439426621.000000000019C000.00000004.00000001.sdmp, vbc.exe, 00000011.00000002.457922865.000000000019C000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.334804967.0000000005D42000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.334804967.0000000005D42000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.coma
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.341087174.0000000005D63000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.comR
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337803826.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr=
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337884254.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krN.TTF
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337884254.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kra-ea
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337884254.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krgra
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.337884254.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krlu
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338672489.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.6
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.340105341.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comE
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338749105.000000000152C000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comXh
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.338638321.0000000005D5B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comn-u4
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342932704.0000000005D63000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000000.00000003.345202768.0000000005D68000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342932704.0000000005D63000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deC
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.342826199.0000000005D63000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deFos
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.389645120.0000000006F52000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339309878.0000000005D60000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000003.339058782.0000000005D60000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnr-f
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, bhv7E75.tmp.13.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp String found in binary or memory: https://a.pomf.cat/
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: vbc.exe, 00000008.00000003.403565944.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454535819.00000000020ED000.00000004.00000001.sdmp, bhv7E75.tmp.13.dr String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://contextual.media.net/
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: vbc.exe, 00000008.00000003.403565944.0000000002294000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.421984649.000000000222D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436172488.0000000000A2D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454535819.00000000020ED000.00000004.00000001.sdmp, bhv7E75.tmp.13.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://pki.goog/repository/0
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/
Source: vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: vbc.exe, 00000008.00000003.403764467.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.406082134.00000000022AE000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403993310.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403428748.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403352721.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403250563.00000000022A3000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.424487107.000000000223E000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422702275.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422786505.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422243341.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422112434.0000000002233000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422184852.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436725657.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436819908.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438015449.0000000000A3E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436279584.0000000000A33000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.438830919.0000000000A3E000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436354749.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436415474.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455503892.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454799669.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.457424591.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.456654465.00000000020FE000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454890238.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454697900.00000000020F3000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: vbc.exe, 00000008.00000003.403764467.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.404030985.00000000022AD000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.403320580.00000000022A3000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422702275.000000000223D000.00000004.00000001.sdmp, vbc.exe, 0000000C.00000003.422167377.0000000002233000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436725657.0000000000A3D000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000003.436340701.0000000000A33000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.455081268.00000000020FD000.00000004.00000001.sdmp, vbc.exe, 00000011.00000003.454779329.00000000020F3000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv7E75.tmp.13.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040F078 OpenClipboard,GetLastError,DeleteFileW, 8_2_0040F078

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 27.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 27.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 27.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 27.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 27.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 27.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 27.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 27.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 27.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 27.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_AWB 65335643399___pdf.exe
Uses 32bit PE files
Source: DHL_AWB 65335643399___pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 27.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 27.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 27.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 27.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 27.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 27.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 27.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 27.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 27.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 27.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 0_2_0150EBD8 0_2_0150EBD8
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 0_2_0150EBCB 0_2_0150EBCB
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 0_2_0150BF7C 0_2_0150BF7C
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 0_2_07FA63A0 0_2_07FA63A0
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 0_2_07FA6391 0_2_07FA6391
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 0_2_07FA0352 0_2_07FA0352
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 0_2_07FA0040 0_2_07FA0040
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 0_2_07FA0006 0_2_07FA0006
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02921390 7_2_02921390
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029250B0 7_2_029250B0
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029210E8 7_2_029210E8
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02927003 7_2_02927003
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02922068 7_2_02922068
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029204D8 7_2_029204D8
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029238E6 7_2_029238E6
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02929918 7_2_02929918
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02922ECD 7_2_02922ECD
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02929F78 7_2_02929F78
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02920C48 7_2_02920C48
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02927208 7_2_02927208
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923250 7_2_02923250
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02921381 7_2_02921381
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02922059 7_2_02922059
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02924178 7_2_02924178
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02924168 7_2_02924168
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029236D8 7_2_029236D8
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029236E8 7_2_029236E8
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029287B0 7_2_029287B0
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029217D4 7_2_029217D4
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_0292174D 7_2_0292174D
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029205A6 7_2_029205A6
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029205ED 7_2_029205ED
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02924519 7_2_02924519
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_0292053B 7_2_0292053B
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02924528 7_2_02924528
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02920562 7_2_02920562
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923567 7_2_02923567
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923568 7_2_02923568
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923AAA 7_2_02923AAA
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923ADD 7_2_02923ADD
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923A02 7_2_02923A02
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923A77 7_2_02923A77
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02921BB9 7_2_02921BB9
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02920BA8 7_2_02920BA8
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923BCE 7_2_02923BCE
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923BF1 7_2_02923BF1
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923B1E 7_2_02923B1E
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923B60 7_2_02923B60
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02925880 7_2_02925880
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029248D0 7_2_029248D0
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029218FB 7_2_029218FB
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029248E0 7_2_029248E0
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02927850 7_2_02927850
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02925870 7_2_02925870
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02927860 7_2_02927860
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923981 7_2_02923981
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029239D7 7_2_029239D7
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029219F6 7_2_029219F6
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029229F8 7_2_029229F8
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_029229E9 7_2_029229E9
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_0292990A 7_2_0292990A
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02921E95 7_2_02921E95
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923E1A 7_2_02923E1A
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02928E20 7_2_02928E20
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923E75 7_2_02923E75
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02921C83 7_2_02921C83
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02921CBA 7_2_02921CBA
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923C1D 7_2_02923C1D
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923C73 7_2_02923C73
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923DA0 7_2_02923DA0
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923DDD 7_2_02923DDD
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02923D40 7_2_02923D40
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_02921D6F 7_2_02921D6F
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E4430 7_2_058E4430
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E0778 7_2_058E0778
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E4680 7_2_058E4680
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E0EA8 7_2_058E0EA8
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E6EE8 7_2_058E6EE8
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E14DD 7_2_058E14DD
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E1415 7_2_058E1415
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E1295 7_2_058E1295
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058ED920 7_2_058ED920
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E4671 7_2_058E4671
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E6EC1 7_2_058E6EC1
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E4928 7_2_058E4928
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E170B 7_2_058E170B
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E1667 7_2_058E1667
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E7107 7_2_058E7107
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E1134 7_2_058E1134
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058EF16C 7_2_058EF16C
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E1174 7_2_058E1174
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E7031 7_2_058E7031
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E12D5 7_2_058E12D5
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E125A 7_2_058E125A
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E3DA0 7_2_058E3DA0
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E3DF0 7_2_058E3DF0
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E3AAC 7_2_058E3AAC
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E3AB0 7_2_058E3AB0
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058F4310 7_2_058F4310
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058F62B8 7_2_058F62B8
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058F4C00 7_2_058F4C00
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058FFBC0 7_2_058FFBC0
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058F9080 7_2_058F9080
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058F9090 7_2_058F9090
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058FC2B8 7_2_058FC2B8
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058FC2C8 7_2_058FC2C8
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058F3FC0 7_2_058F3FC0
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058F8B60 7_2_058F8B60
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058F8B70 7_2_058F8B70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0044900F 8_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004042EB 8_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00414281 8_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00410291 8_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004063BB 8_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00415624 8_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0041668D 8_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040477F 8_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040487C 8_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0043589B 8_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0043BA9D 8_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0043FBD3 8_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_0044900F 12_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_004042EB 12_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_00414281 12_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_00410291 12_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_004063BB 12_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_00415624 12_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_0041668D 12_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_0040477F 12_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_0040487C 12_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_0043589B 12_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_0043BA9D 12_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_0043FBD3 12_2_0043FBD3
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0044465C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0044466E appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00415F19 appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0044468C appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00444B90 appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0041607A appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0042F6EF appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004162C2 appears 174 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004083D6 appears 64 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 7_2_058E1398 NtUnmapViewOfSection, 7_2_058E1398
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 8_2_0040978A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 12_2_0040978A
Sample file is different than original file name gathered from version info
Source: DHL_AWB 65335643399___pdf.exe Binary or memory string: OriginalFilename vs DHL_AWB 65335643399___pdf.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.384048080.0000000000AD2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameX509Constan.exe4 vs DHL_AWB 65335643399___pdf.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 65335643399___pdf.exe
Source: DHL_AWB 65335643399___pdf.exe Binary or memory string: OriginalFilename vs DHL_AWB 65335643399___pdf.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.602565955.0000000000B58000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL_AWB 65335643399___pdf.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs DHL_AWB 65335643399___pdf.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000000.382825709.00000000006F2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameX509Constan.exe4 vs DHL_AWB 65335643399___pdf.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs DHL_AWB 65335643399___pdf.exe
Source: DHL_AWB 65335643399___pdf.exe Binary or memory string: OriginalFilenameX509Constan.exe4 vs DHL_AWB 65335643399___pdf.exe
Source: DHL_AWB 65335643399___pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: NbJgZAsv.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DHL_AWB 65335643399___pdf.exe Virustotal: Detection: 26%
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe File read: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Jump to behavior
Source: DHL_AWB 65335643399___pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe "C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe"
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmp
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmp
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmp
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmp
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmp
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe File created: C:\Users\user\AppData\Roaming\NbJgZAsv.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmpBB4.tmp Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@16/13@0/1
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 8_2_00418073
Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 8_2_00417BE9
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle, 8_2_00413424
Source: DHL_AWB 65335643399___pdf.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\LcfvXkhsWmtOAyNmKljqjUzj
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource, 8_2_004141E0
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u206b????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u206b????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: DHL_AWB 65335643399___pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_AWB 65335643399___pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: DHL_AWB 65335643399___pdf.exe, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs .Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: NbJgZAsv.exe.0.dr, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs .Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs .Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs .Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs .Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs .Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs .Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs .Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs .Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs .Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs .Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs .Net Code: aPPSKavZv28fanfBNj System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Code function: 0_2_07FABB53 push esp; ret 0_2_07FABB54
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00444975 push ecx; ret 8_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00444B90 push eax; ret 8_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00444B90 push eax; ret 8_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00448E74 push eax; ret 8_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0042CF44 push ebx; retf 0042h 8_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_00444975 push ecx; ret 12_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_00444B90 push eax; ret 12_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_00444B90 push eax; ret 12_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_00448E74 push eax; ret 12_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_0042CF44 push ebx; retf 0042h 12_2_0042CF49
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_004443B0
Binary contains a suspicious time stamp
Source: DHL_AWB 65335643399___pdf.exe Static PE information: 0xBAAB9656 [Fri Mar 29 18:28:38 2069 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.57987288124
Source: initial sample Static PE information: section name: .text entropy: 7.57987288124
Source: DHL_AWB 65335643399___pdf.exe, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs High entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
Source: DHL_AWB 65335643399___pdf.exe, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.cs High entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
Source: DHL_AWB 65335643399___pdf.exe, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.cs High entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
Source: DHL_AWB 65335643399___pdf.exe, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.cs High entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
Source: NbJgZAsv.exe.0.dr, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs High entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
Source: NbJgZAsv.exe.0.dr, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.cs High entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
Source: NbJgZAsv.exe.0.dr, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.cs High entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
Source: NbJgZAsv.exe.0.dr, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.cs High entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs High entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.cs High entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.cs High entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
Source: 0.0.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.cs High entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs High entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.cs High entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.cs High entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
Source: 0.2.DHL_AWB 65335643399___pdf.exe.ad0000.0.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.cs High entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs High entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.cs High entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.cs High entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.13.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.cs High entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs High entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.cs High entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.cs High entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.11.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.cs High entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs High entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.cs High entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.cs High entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.cs High entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs High entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.cs High entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.cs High entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.7.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.cs High entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs High entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.cs High entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.cs High entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.9.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.cs High entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs High entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.cs High entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.cs High entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.5.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.cs High entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs High entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.cs High entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.cs High entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
Source: 7.0.DHL_AWB 65335643399___pdf.exe.6f0000.0.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.cs High entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'
Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, Yq3SJuck2DdQAa5Oq8/mmZLVsvevpYC4wJi7K.cs High entropy of concatenated method names: 'fcqFx5KNV', 'wSyai6MRe', '.ctor', 'CnHE7XJ90', 'B0DvPH5Nj', 'pZHc4h4P7', 'lAhVO2Emy', 'j07LivM2O', 'tee095mZL', 'gse9vpYC4'
Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, cjIFho9hjNPMTU7TCt/wcC70B04HclPu7pirx.cs High entropy of concatenated method names: 'cqrR9Nhpw2', 'YRORhj5MWY', 'M0QRMUR4Ky', 'fGJR5ChA8k', 'bjhRZBGNw5', 'fQsRDRLLVD', 'da8RgJfo0Z', 'lrVR2KbSml', 'S1Sq7Oavo', 'cANz55JS1'
Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, emYThFKg085F0XhJut/VC4ECoh31RkBhvF2AW.cs High entropy of concatenated method names: 'Vs6ROpgamd', 'pY5RCOAedj', 'ioMR1GYN53', 'TsBRlAQD0t', 'GDdRIRc80P', 'NZWRt9Q45w', '.ctor', 'L7RRTUWXL2', 'LfNRJvrtyI', 'sfpRmdObbl'
Source: 7.2.DHL_AWB 65335643399___pdf.exe.6f0000.1.unpack, WCyNJoLnc4ZZCllx5f/WQe3NnVIj2LgD5JhnU.cs High entropy of concatenated method names: 'jIhOb3YtB', 'SaXCAlZJv', 'UpDu2FdOv', 'sVbBDMyeH', 'W9KirKg7Z', 'CcJ8IUO3Y', 'LMXQb8jHo', 'DnKpGfKkV', 'pEpIAnawv', 'IPwtaWalc'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe File created: C:\Users\user\AppData\Roaming\NbJgZAsv.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_00443A61
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.DHL_AWB 65335643399___pdf.exe.2e32b8c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp, DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 6540 Thread sleep time: -32392s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 6580 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 7076 Thread sleep count: 138 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 7076 Thread sleep time: -138000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe TID: 6292 Thread sleep time: -345600000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 8_2_0040978A
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Thread delayed: delay time: 172800000 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0041829C memset,GetSystemInfo, 8_2_0041829C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 8_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 8_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 12_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 12_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 12_2_00408CAC
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Thread delayed: delay time: 32392 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Thread delayed: delay time: 172800000 Jump to behavior
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp Binary or memory string: vmware
Source: bhv7E75.tmp.13.dr Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:BE8AB8DF-DCD1-3523-4A95-3A04EAFF1CBA&ctry=US&time=20211105T222051Z&lc=en-US&pl=en-US&idtp=mid&uid=b029da70-c67b-4a7e-9bd5-517f7e302ed9&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=acb40644ee59409e84e67afcd8be5637&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1241428&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1241428&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.385059771.0000000002E11000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 8_2_0040978A
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_004443B0
Enables debug privileges
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 269008 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3FE008 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 242008 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 267008 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 220008 Jump to behavior
.NET source code references suspicious native API functions
Source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmp Jump to behavior
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604722336.0000000002B87000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.603790196.00000000014C0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.603790196.00000000014C0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.603790196.00000000014C0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.603790196.00000000014C0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 8_2_00418137
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004083A1 GetVersionExW, 8_2_004083A1

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: bdagent.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: MSASCui.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: avguard.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: avgrsx.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: avcenter.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: avp.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: zlclient.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: avgcsrvx.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: avgnt.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: hijackthis.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: avgui.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: avgwdsvc.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: mbam.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: MsMpEng.exe
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: ComboFix.exe

Stealing of Sensitive Information:

barindex
Yara detected MailPassView
Source: Yara match File source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.3ae5950.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000000.584728372.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.585393509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.584242337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.583483657.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.384365256.0000000004355000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.583887483.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.606069695.0000000002CBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6756, type: MEMORYSTR
Yara detected HawkEye Keylogger
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 17.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.3ae5950.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.3ae5950.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.415051620.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.429195340.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.604722336.0000000002B87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.604997751.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.604881484.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.392634525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.444119712.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.458049589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.439502988.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.443122582.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.606344857.0000000003AE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.414637682.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.606732949.0000000004FC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.414189798.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.424952995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.394234087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.413703386.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.393712124.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.394776440.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.429569305.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.428434291.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.384365256.0000000004355000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.445590834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.443616731.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.428849255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.408592264.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6452, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6740, type: MEMORYSTR
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.604385666.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.380988424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.381541048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.387656235.000000000409C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.600470804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.382170553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_AWB 65335643399___pdf.exe PID: 6996, type: MEMORYSTR
Detected HawkEye Rat
Source: DHL_AWB 65335643399___pdf.exe, 00000000.00000002.388044368.00000000042A9000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: DHL_AWB 65335643399___pdf.exe, 00000007.00000000.382709219.0000000000402000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 516538 Sample: DHL_AWB 65335643399___pdf.exe Startdate: 05/11/2021 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Detected HawkEye Rat 2->46 48 11 other signatures 2->48 7 DHL_AWB 65335643399___pdf.exe 7 2->7         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\tmpBB4.tmp, XML 7->28 dropped 30 C:\...\DHL_AWB 65335643399___pdf.exe.log, ASCII 7->30 dropped 32 C:\Users\user\AppData\Roaming32bJgZAsv.exe, PE32 7->32 dropped 50 Injects a PE file into a foreign processes 7->50 11 DHL_AWB 65335643399___pdf.exe 8 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 34 192.168.2.1 unknown unknown 11->34 52 Writes to foreign memory regions 11->52 54 Allocates memory in foreign processes 11->54 56 Sample uses process hollowing technique 11->56 58 Injects a PE file into a foreign processes 11->58 17 vbc.exe 11->17         started        20 vbc.exe 1 11->20         started        22 vbc.exe 1 11->22         started        26 2 other processes 11->26 24 conhost.exe 15->24         started        signatures8 process9 signatures10 36 Tries to steal Instant Messenger accounts or passwords 17->36 38 Tries to steal Mail credentials (via file / registry access) 17->38 40 Tries to harvest and steal browser information (history, passwords, etc) 20->40
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1