Windows Analysis Report DHL Delivery Invoice AWB 2774038374 .pdf.exe

Overview

General Information

Sample Name: DHL Delivery Invoice AWB 2774038374 .pdf.exe
Analysis ID: 553161
MD5: a44512118be5e5420c9d710a96353898
SHA1: 5867f5faf6acfa48b90f21d655411fd98d50136d
SHA256: 9ca32954bc9ae96f11d246ca45443522a731631c154f768938c556869e01b555
Tags: AgentTeslaDHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to register a low level keyboard hook
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "vladmir@amova.ga", "Password": "marcellinus360", "Host": "smtp.yandex.com"}
Multi AV Scanner detection for submitted file
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Virustotal: Detection: 33% Perma Link
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe ReversingLabs: Detection: 51%
Antivirus / Scanner detection for submitted sample
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\uHlRqGSIW.exe Avira: detection malicious, Label: HEUR/AGEN.1140941
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\uHlRqGSIW.exe ReversingLabs: Detection: 51%
Machine Learning detection for sample
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\uHlRqGSIW.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 13.0.RegSvcs.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 13.0.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 13.0.RegSvcs.exe.400000.2.unpack Avira: Label: TR/Spy.Gen8
Source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 13.0.RegSvcs.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8
Source: 13.0.RegSvcs.exe.400000.3.unpack Avira: Label: TR/Spy.Gen8
Source: 13.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Unpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack
Uses 32bit PE files
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_04F474DC
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_04F4A7A8

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.88.21.158 77.88.21.158
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49811 -> 77.88.21.158:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49811 -> 77.88.21.158:587
Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmp String found in binary or memory: http://crl.certum.pl/ca.crl0h
Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmp String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmp String found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmp String found in binary or memory: http://repository.certum.pl/ca.cer09
Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmp String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmp String found in binary or memory: http://repository.certum.pl/ycasha2.cer0
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp String found in binary or memory: http://smtp.yandex.com
Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmp String found in binary or memory: http://subca.ocsp-certum.com0.
Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmp String found in binary or memory: http://subca.ocsp-certum.com01
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285603469.0000000007E2B000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com-
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284461330.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comG
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comangN
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comext:
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comscreen
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284461330.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comy:
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comzJo
Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmp String found in binary or memory: http://www.certum.pl/CPS0
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286553878.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287899875.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286577441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.290986801.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286437473.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286553878.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/r-t
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com6
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comB.TTF
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286646679.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comC.TTF
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287133112.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286437473.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF)
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comFM
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comR.TTF
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comW.TTFM
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.294356101.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.319948570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.290986801.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcep/
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcomd
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286646679.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287133112.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286605058.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd6
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286605058.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdaF
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comessed
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comessed~
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comgritah
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comituFM
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comony
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comrsiv)
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283132405.0000000007E3A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283731492.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283792623.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283823226.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283661315.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283843116.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283605847.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283550929.0000000007E5A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283745473.0000000007E5A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283132405.0000000007E3A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283179466.0000000007E3E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnNJ
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288455261.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288563700.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288455261.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288487364.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/D
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/6
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285728184.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285777761.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285673906.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285590318.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/D
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/M
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Z
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/c
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/e-e
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284762977.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284668327.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284697527.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/h
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/M
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/q
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/rs
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285728184.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285777761.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285673906.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285590318.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288374211.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288394129.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288428074.0000000007E5B000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.:
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281785804.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281399415.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281579200.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281482563.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281322115.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281742472.0000000007E3B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281785804.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281399415.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281579200.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281482563.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281742472.0000000007E3B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com.
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com8
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comoftU
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comres#
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285603469.0000000007E2B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283843116.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283808495.0000000007E3A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283862148.0000000007E2D000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmp String found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmp String found in binary or memory: http://yandex.ocsp-responder.com03
Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp String found in binary or memory: http://ykYQwS.com
Source: RegSvcs.exe, 0000000D.00000002.551775173.00000000032ED000.00000004.00000001.sdmp String found in binary or memory: https://I0Mrtx23jQBQ7aEbHqQ.com
Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%
Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmp String found in binary or memory: https://www.certum.pl/CPS0
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: smtp.yandex.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Contains functionality to register a low level keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01360D50 SetWindowsHookExW 0000000D,00000000,?,? 13_2_01360D50
Creates a DirectInput object (often for capturing keystrokes)
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.315845483.0000000000DDB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL Delivery Invoice AWB 2774038374 .pdf.exe
Source: initial sample Static PE information: Filename: DHL Delivery Invoice AWB 2774038374 .pdf.exe
.NET source code contains very large array initializations
Source: 13.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.cs Large array initialization: .cctor: array initializer size 11950
Source: 13.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.cs Large array initialization: .cctor: array initializer size 11950
Source: 13.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.cs Large array initialization: .cctor: array initializer size 11950
Source: 13.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.cs Large array initialization: .cctor: array initializer size 11950
Source: 13.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.cs Large array initialization: .cctor: array initializer size 11950
Source: 13.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.cs Large array initialization: .cctor: array initializer size 11950
Uses 32bit PE files
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_010121C0 0_2_010121C0
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_010117A8 0_2_010117A8
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_0101B61C 0_2_0101B61C
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_01010F98 0_2_01010F98
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_010153E3 0_2_010153E3
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_010153E8 0_2_010153E8
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_01015220 0_2_01015220
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_01015230 0_2_01015230
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_01010470 0_2_01010470
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_01015620 0_2_01015620
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_01015628 0_2_01015628
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_01015831 0_2_01015831
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_01014B10 0_2_01014B10
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_01014B20 0_2_01014B20
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_01010F85 0_2_01010F85
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_04F4560C 0_2_04F4560C
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_04F480D8 0_2_04F480D8
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_04F480CA 0_2_04F480CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00F73C70 13_2_00F73C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00F76048 13_2_00F76048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00F7DC00 13_2_00F7DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00F74108 13_2_00F74108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00F7A270 13_2_00F7A270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00F7121E 13_2_00F7121E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00F740F9 13_2_00F740F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00F7BC40 13_2_00F7BC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00F7D3F0 13_2_00F7D3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01213590 13_2_01213590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01214C68 13_2_01214C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_012108B0 13_2_012108B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01218098 13_2_01218098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0121AF10 13_2_0121AF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0121BC50 13_2_0121BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_012188E8 13_2_012188E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_012187E9 13_2_012187E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01369520 13_2_01369520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0136A890 13_2_0136A890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01361360 13_2_01361360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_013BED68 13_2_013BED68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_013B68B0 13_2_013B68B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_013B5B50 13_2_013B5B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_013B5620 13_2_013B5620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_013B3698 13_2_013B3698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_013BE2C8 13_2_013BE2C8
Sample file is different than original file name gathered from version info
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Binary or memory string: OriginalFilename vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dllF vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTJzdZfqxlSCjboeRXxLugro.exe4 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320700009.000000000AFD0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTJzdZfqxlSCjboeRXxLugro.exe4 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000000.277349228.0000000000672000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNamedPermissionS.exe8 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.315845483.0000000000DDB000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.315495501.00000000006F8000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNamedPermissionS.exe8 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Binary or memory string: OriginalFilenameNamedPermissionS.exe8 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: uHlRqGSIW.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Virustotal: Detection: 33%
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe ReversingLabs: Detection: 51%
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe File read: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Jump to behavior
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe"
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe File created: C:\Users\user\AppData\Roaming\uHlRqGSIW.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmpCDD.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/9@2/1
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01
Source: 13.0.RegSvcs.exe.400000.4.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.0.RegSvcs.exe.400000.4.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.0.RegSvcs.exe.400000.2.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.0.RegSvcs.exe.400000.2.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Unpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Unpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Code function: 0_2_04F46380 push eax; retf 0_2_04F46381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0136D594 push ebx; iretd 13_2_0136D595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_013BB597 push edi; retn 0000h 13_2_013BB599
Source: initial sample Static PE information: section name: .text entropy: 7.72362140685
Source: initial sample Static PE information: section name: .text entropy: 7.72362140685

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe File created: \dhl delivery invoice awb 2774038374 .pdf.exe
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe File created: \dhl delivery invoice awb 2774038374 .pdf.exe
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe File created: \dhl delivery invoice awb 2774038374 .pdf.exe
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe File created: \dhl delivery invoice awb 2774038374 .pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe File created: \dhl delivery invoice awb 2774038374 .pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe File created: \dhl delivery invoice awb 2774038374 .pdf.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe File created: C:\Users\user\AppData\Roaming\uHlRqGSIW.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: DHL Delivery Invoice AWB 2774038374 .pdf.exe
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.2a6f26c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL Delivery Invoice AWB 2774038374 .pdf.exe PID: 6344, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe TID: 6348 Thread sleep time: -35447s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe TID: 6420 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7088 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7340 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2740 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 7099 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Thread delayed: delay time: 35447 Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp Binary or memory string: vmware
Source: RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00F7EFB8 LdrInitializeThunk, 13_2_00F7EFB8
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.43eba80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4383260.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.313434658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL Delivery Invoice AWB 2774038374 .pdf.exe PID: 6344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7092, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7092, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.43eba80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4383260.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.313434658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL Delivery Invoice AWB 2774038374 .pdf.exe PID: 6344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7092, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553161 Sample: DHL Delivery Invoice AWB 27... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Antivirus detection for dropped file 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 17 other signatures 2->41 7 DHL Delivery Invoice AWB 2774038374 .pdf.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, PE32 7->23 dropped 25 C:\Users\...\uHlRqGSIW.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\tmpCDD.tmp, XML 7->27 dropped 29 DHL Delivery Invoi...038374 .pdf.exe.log, ASCII 7->29 dropped 43 Adds a directory exclusion to Windows Defender 7->43 11 RegSvcs.exe 6 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 smtp.yandex.ru 77.88.21.158, 49811, 49812, 587 YANDEXRU Russian Federation 11->31 33 smtp.yandex.com 11->33 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->47 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 5 other signatures 11->51 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.88.21.158
 smtp.yandex.ru Russian Federation
13238 YANDEXRU false

Contacted Domains

Name IP Active
smtp.yandex.ru 77.88.21.158 true
smtp.yandex.com unknown unknown