Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL Delivery Invoice AWB 2774038374 .pdf.exe

Overview

General Information

Sample Name:DHL Delivery Invoice AWB 2774038374 .pdf.exe
Analysis ID:553161
MD5:a44512118be5e5420c9d710a96353898
SHA1:5867f5faf6acfa48b90f21d655411fd98d50136d
SHA256:9ca32954bc9ae96f11d246ca45443522a731631c154f768938c556869e01b555
Tags:AgentTeslaDHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to register a low level keyboard hook
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • DHL Delivery Invoice AWB 2774038374 .pdf.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" MD5: A44512118BE5E5420C9D710A96353898)
    • powershell.exe (PID: 6916 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6936 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 7092 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "vladmir@amova.ga", "Password": "marcellinus360", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                13.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  13.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    13.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7092
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp, ProcessId: 6936
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, ProcessId: 6916
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7092
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, ProcessId: 6916
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866648308116717.6916.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "vladmir@amova.ga", "Password": "marcellinus360", "Host": "smtp.yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeVirustotal: Detection: 33%Perma Link
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeReversingLabs: Detection: 51%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeAvira: detected
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeAvira: detection malicious, Label: HEUR/AGEN.1140941
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeReversingLabs: Detection: 51%
                      Machine Learning detection for sampleShow sources
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeJoe Sandbox ML: detected
                      Source: 13.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: 13.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_04F474DC
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_04F4A7A8
                      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                      Source: global trafficTCP traffic: 192.168.2.5:49811 -> 77.88.21.158:587
                      Source: global trafficTCP traffic: 192.168.2.5:49811 -> 77.88.21.158:587
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285603469.0000000007E2B000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284461330.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comG
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comangN
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comext:
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comscreen
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284461330.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comy:
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comzJo
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286553878.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287899875.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286577441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.290986801.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286437473.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286553878.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/r-t
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com6
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286646679.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comC.TTF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287133112.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286437473.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF)
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFM
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comR.TTF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comW.TTFM
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.294356101.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.319948570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.290986801.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcep/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286646679.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287133112.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286605058.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd6
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286605058.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdaF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed~
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritah
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituFM
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comony
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsiv)
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283132405.0000000007E3A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283731492.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283792623.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283823226.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283661315.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283843116.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283605847.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283550929.0000000007E5A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283745473.0000000007E5A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283132405.0000000007E3A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283179466.0000000007E3E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnNJ
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288455261.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288563700.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288455261.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288487364.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/D
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285728184.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285777761.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285673906.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285590318.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e-e
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284762977.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284668327.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284697527.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/M
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rs
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285728184.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285777761.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285673906.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285590318.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288374211.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288394129.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288428074.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.:
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281785804.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281399415.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281579200.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281482563.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281322115.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281742472.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281785804.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281399415.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281579200.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281482563.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281742472.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com.
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com8
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comoftU
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comres#
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285603469.0000000007E2B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283843116.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283808495.0000000007E3A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283862148.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: http://ykYQwS.com
                      Source: RegSvcs.exe, 0000000D.00000002.551775173.00000000032ED000.00000004.00000001.sdmpString found in binary or memory: https://I0Mrtx23jQBQ7aEbHqQ.com
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.yandex.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Contains functionality to register a low level keyboard hookShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01360D50 SetWindowsHookExW 0000000D,00000000,?,?13_2_01360D50
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.315845483.0000000000DDB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: initial sampleStatic PE information: Filename: DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 13.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010121C00_2_010121C0
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010117A80_2_010117A8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_0101B61C0_2_0101B61C
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01010F980_2_01010F98
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010153E30_2_010153E3
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010153E80_2_010153E8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010152200_2_01015220
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010152300_2_01015230
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010104700_2_01010470
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010156200_2_01015620
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010156280_2_01015628
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010158310_2_01015831
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01014B100_2_01014B10
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01014B200_2_01014B20
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01010F850_2_01010F85
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_04F4560C0_2_04F4560C
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_04F480D80_2_04F480D8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_04F480CA0_2_04F480CA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F73C7013_2_00F73C70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7604813_2_00F76048
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7DC0013_2_00F7DC00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7410813_2_00F74108
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7A27013_2_00F7A270
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7121E13_2_00F7121E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F740F913_2_00F740F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7BC4013_2_00F7BC40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7D3F013_2_00F7D3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0121359013_2_01213590
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01214C6813_2_01214C68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_012108B013_2_012108B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0121809813_2_01218098
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0121AF1013_2_0121AF10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0121BC5013_2_0121BC50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_012188E813_2_012188E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_012187E913_2_012187E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0136952013_2_01369520
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0136A89013_2_0136A890
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0136136013_2_01361360
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013BED6813_2_013BED68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013B68B013_2_013B68B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013B5B5013_2_013B5B50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013B562013_2_013B5620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013B369813_2_013B3698
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013BE2C813_2_013BE2C8
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeBinary or memory string: OriginalFilename vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTJzdZfqxlSCjboeRXxLugro.exe4 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320700009.000000000AFD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTJzdZfqxlSCjboeRXxLugro.exe4 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000000.277349228.0000000000672000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNamedPermissionS.exe8 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.315845483.0000000000DDB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.315495501.00000000006F8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNamedPermissionS.exe8 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeBinary or memory string: OriginalFilenameNamedPermissionS.exe8 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: uHlRqGSIW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeVirustotal: Detection: 33%
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeReversingLabs: Detection: 51%
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile read: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeJump to behavior
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe"
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmpJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCDD.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/9@2/1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01
                      Source: 13.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      bar