Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL Delivery Invoice AWB 2774038374 .pdf.exe

Overview

General Information

Sample Name:DHL Delivery Invoice AWB 2774038374 .pdf.exe
Analysis ID:553161
MD5:a44512118be5e5420c9d710a96353898
SHA1:5867f5faf6acfa48b90f21d655411fd98d50136d
SHA256:9ca32954bc9ae96f11d246ca45443522a731631c154f768938c556869e01b555
Tags:AgentTeslaDHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to register a low level keyboard hook
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • DHL Delivery Invoice AWB 2774038374 .pdf.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" MD5: A44512118BE5E5420C9D710A96353898)
    • powershell.exe (PID: 6916 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6936 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 7092 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "vladmir@amova.ga", "Password": "marcellinus360", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                13.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  13.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    13.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7092
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp, ProcessId: 6936
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, ProcessId: 6916
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7092
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, ProcessId: 6916
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866648308116717.6916.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "vladmir@amova.ga", "Password": "marcellinus360", "Host": "smtp.yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeVirustotal: Detection: 33%Perma Link
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeReversingLabs: Detection: 51%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeAvira: detected
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeAvira: detection malicious, Label: HEUR/AGEN.1140941
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeReversingLabs: Detection: 51%
                      Machine Learning detection for sampleShow sources
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeJoe Sandbox ML: detected
                      Source: 13.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: 13.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                      Source: global trafficTCP traffic: 192.168.2.5:49811 -> 77.88.21.158:587
                      Source: global trafficTCP traffic: 192.168.2.5:49811 -> 77.88.21.158:587
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285603469.0000000007E2B000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284461330.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comG
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comangN
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comext:
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comscreen
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284461330.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comy:
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comzJo
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286553878.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287899875.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286577441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.290986801.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286437473.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286553878.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/r-t
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com6
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286646679.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comC.TTF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287133112.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286437473.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF)
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFM
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comR.TTF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comW.TTFM
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.294356101.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.319948570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.290986801.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcep/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286646679.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287133112.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286605058.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd6
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286605058.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdaF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed~
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritah
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituFM
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comony
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsiv)
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283132405.0000000007E3A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283731492.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283792623.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283823226.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283661315.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283843116.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283605847.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283550929.0000000007E5A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283745473.0000000007E5A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283132405.0000000007E3A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283179466.0000000007E3E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnNJ
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288455261.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288563700.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288455261.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288487364.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/D
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285728184.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285777761.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285673906.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285590318.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e-e
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284762977.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284668327.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284697527.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/M
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rs
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285728184.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285777761.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285673906.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285590318.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288374211.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288394129.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288428074.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.:
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281785804.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281399415.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281579200.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281482563.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281322115.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281742472.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281785804.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281399415.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281579200.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281482563.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281742472.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com.
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com8
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comoftU
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comres#
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285603469.0000000007E2B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283843116.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283808495.0000000007E3A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283862148.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: http://ykYQwS.com
                      Source: RegSvcs.exe, 0000000D.00000002.551775173.00000000032ED000.00000004.00000001.sdmpString found in binary or memory: https://I0Mrtx23jQBQ7aEbHqQ.com
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.yandex.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Contains functionality to register a low level keyboard hookShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01360D50 SetWindowsHookExW 0000000D,00000000,?,?
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.315845483.0000000000DDB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: initial sampleStatic PE information: Filename: DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 13.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010121C0
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010117A8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_0101B61C
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01010F98
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010153E3
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010153E8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01015220
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01015230
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01010470
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01015620
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01015628
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01015831
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01014B10
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01014B20
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01010F85
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_04F4560C
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_04F480D8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_04F480CA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F73C70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F76048
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7DC00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F74108
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7A270
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7121E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F740F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7BC40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7D3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01213590
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01214C68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_012108B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01218098
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0121AF10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0121BC50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_012188E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_012187E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01369520
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0136A890
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01361360
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013BED68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013B68B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013B5B50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013B5620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013B3698
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013BE2C8
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeBinary or memory string: OriginalFilename vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTJzdZfqxlSCjboeRXxLugro.exe4 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320700009.000000000AFD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTJzdZfqxlSCjboeRXxLugro.exe4 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000000.277349228.0000000000672000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNamedPermissionS.exe8 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.315845483.0000000000DDB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.315495501.00000000006F8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNamedPermissionS.exe8 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeBinary or memory string: OriginalFilenameNamedPermissionS.exe8 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: uHlRqGSIW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeVirustotal: Detection: 33%
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeReversingLabs: Detection: 51%
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile read: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeJump to behavior
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe"
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCDD.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/9@2/1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01
                      Source: 13.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_04F46380 push eax; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0136D594 push ebx; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013BB597 push edi; retn 0000h
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.72362140685
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.72362140685
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: \dhl delivery invoice awb 2774038374 .pdf.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: \dhl delivery invoice awb 2774038374 .pdf.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: \dhl delivery invoice awb 2774038374 .pdf.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: \dhl delivery invoice awb 2774038374 .pdf.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: \dhl delivery invoice awb 2774038374 .pdf.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: \dhl delivery invoice awb 2774038374 .pdf.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: pdf.exeStatic PE information: DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.2a6f26c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL Delivery Invoice AWB 2774038374 .pdf.exe PID: 6344, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe TID: 6348Thread sleep time: -35447s >= -30000s
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe TID: 6420Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7340
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1187
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2740
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7099
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeThread delayed: delay time: 35447
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7EFB8 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.43eba80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4383260.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.313434658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL Delivery Invoice AWB 2774038374 .pdf.exe PID: 6344, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7092, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7092, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.43eba80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4383260.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.313434658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL Delivery Invoice AWB 2774038374 .pdf.exe PID: 6344, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7092, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture211System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information13Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSecurity Software Discovery311Distributed Component Object ModelInput Capture211Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection12DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 553161 Sample: DHL Delivery Invoice AWB 27... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Antivirus detection for dropped file 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 17 other signatures 2->41 7 DHL Delivery Invoice AWB 2774038374 .pdf.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, PE32 7->23 dropped 25 C:\Users\...\uHlRqGSIW.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\tmpCDD.tmp, XML 7->27 dropped 29 DHL Delivery Invoi...038374 .pdf.exe.log, ASCII 7->29 dropped 43 Adds a directory exclusion to Windows Defender 7->43 11 RegSvcs.exe 6 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 smtp.yandex.ru 77.88.21.158, 49811, 49812, 587 YANDEXRU Russian Federation 11->31 33 smtp.yandex.com 11->33 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->47 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 5 other signatures 11->51 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DHL Delivery Invoice AWB 2774038374 .pdf.exe33%VirustotalBrowse
                      DHL Delivery Invoice AWB 2774038374 .pdf.exe51%ReversingLabsByteCode-MSIL.Trojan.Taskun
                      DHL Delivery Invoice AWB 2774038374 .pdf.exe100%AviraHEUR/AGEN.1140941
                      DHL Delivery Invoice AWB 2774038374 .pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\uHlRqGSIW.exe100%AviraHEUR/AGEN.1140941
                      C:\Users\user\AppData\Roaming\uHlRqGSIW.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\uHlRqGSIW.exe51%ReversingLabsByteCode-MSIL.Trojan.Taskun

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      13.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      0.0.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack100%AviraHEUR/AGEN.1140941Download File
                      13.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      13.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                      13.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      13.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      13.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.fontbureau.comd60%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://ykYQwS.com0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/a-d0%URL Reputationsafe
                      http://www.fontbureau.comessed0%URL Reputationsafe
                      http://www.fontbureau.comessed~0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/60%URL Reputationsafe
                      http://www.fontbureau.comcep/0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.fontbureau.com60%Avira URL Cloudsafe
                      http://www.fontbureau.comrsiv)0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.fontbureau.comcomd0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.carterandcone.comext:0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/M0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/D0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/q0%URL Reputationsafe
                      http://www.fontbureau.comituFM0%Avira URL Cloudsafe
                      http://www.carterandcone.comscreen0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/h0%URL Reputationsafe
                      http://www.carterandcone.comzJo0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/e-e0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/c0%URL Reputationsafe
                      http://www.carterandcone.comy:0%Avira URL Cloudsafe
                      http://www.monotype.:0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/rs0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com.0%URL Reputationsafe
                      http://www.sajatypeworks.comoftU0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.sajatypeworks.com80%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/M0%URL Reputationsafe
                      http://www.founder.com.cn/cnNJ0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.sajatypeworks.comres#0%Avira URL Cloudsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.fontbureau.comFM0%Avira URL Cloudsafe
                      http://www.carterandcone.com-0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
                      http://subca.ocsp-certum.com0.0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.fontbureau.comgritah0%Avira URL Cloudsafe
                      http://www.fontbureau.comony0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comB.TTF0%URL Reputationsafe
                      http://subca.ocsp-certum.com010%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.fontbureau.comdaF0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.carterandcone.comG0%Avira URL Cloudsafe
                      http://www.fontbureau.comR.TTF0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/Z0%URL Reputationsafe
                      http://www.fontbureau.comF)0%Avira URL Cloudsafe
                      https://I0Mrtx23jQBQ7aEbHqQ.com0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comW.TTFM0%Avira URL Cloudsafe
                      http://www.carterandcone.comangN0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/q0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.galapagosdesign.com/D0%Avira URL Cloudsafe
                      http://www.fontbureau.comd0%URL Reputationsafe
                      http://www.fontbureau.comC.TTF0%Avira URL Cloudsafe
                      http://yandex.ocsp-responder.com030%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      smtp.yandex.ru
                      		77.88.21.158
                      		truefalse
                        		high
                        smtp.yandex.com
                        		unknown
                        		unknownfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.fontbureau.comd6DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://127.0.0.1:HTTP/1.1RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://ykYQwS.comRegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/a-dDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comessedDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comessed~DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.sajatypeworks.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281785804.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281399415.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281579200.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281482563.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281322115.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281742472.0000000007E3B000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://repository.certum.pl/ca.cer09RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/6DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comcep/DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.ascendercorp.com/typedesigners.htmlDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285603469.0000000007E2B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com6DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comrsiv)DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.urwpp.deDPleaseDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpfalse
                                		high
                                https://api.ipify.org%RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		low
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.certum.pl/CPS0RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/ZDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288455261.0000000007E5B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comcomdDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.certum.pl/ctnca.crl0kRegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.carterandcone.comext:DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/MDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/DDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285728184.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285777761.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285673906.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285590318.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://smtp.yandex.comRegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.carterandcone.comlDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283731492.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283792623.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283823226.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283661315.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283843116.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283605847.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283550929.0000000007E5A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283745473.0000000007E5A000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                        		high
                                        http://crls.yandex.net/certum/ycasha2.crl0-RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/qDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comituFMDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comscreenDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/hDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284762977.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284668327.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284697527.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comzJoDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/e-eDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/cDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comy:DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284461330.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.monotype.:DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288374211.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288394129.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288428074.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/rsDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sajatypeworks.com.DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281785804.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281399415.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281579200.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281482563.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281742472.0000000007E3B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comoftUDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designersGDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/?DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/bTheDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers?DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sajatypeworks.com8DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://yandex.crl.certum.pl/ycasha2.crl0qRegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/jp/MDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cnNJDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283132405.0000000007E3A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283179466.0000000007E3E000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tiro.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283843116.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283808495.0000000007E3A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283862148.0000000007E2D000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.goodfont.co.krDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.sajatypeworks.comres#DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.carterandcone.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comFMDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.carterandcone.com-DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.jiyu-kobo.co.jp/~DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285728184.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285777761.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285673906.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285590318.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://subca.ocsp-certum.com0.RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.typography.netDDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comgritahDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.comonyDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.galapagosdesign.com/staff/dennis.htmDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://fontfabrik.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comB.TTFDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://subca.ocsp-certum.com01RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		low
                                                  http://www.fontbureau.comdaFDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286605058.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fonts.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.sandoll.co.krDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sakkal.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285603469.0000000007E2B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.carterandcone.comGDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284461330.0000000007E5B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.comR.TTFDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/jp/ZDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comF)DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286437473.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://repository.certum.pl/ycasha2.cer0RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://I0Mrtx23jQBQ7aEbHqQ.comRegSvcs.exe, 0000000D.00000002.551775173.00000000032ED000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.apache.org/licenses/LICENSE-2.0DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286553878.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287899875.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286577441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.290986801.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://DynDns.comDynDNSRegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.comFDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287133112.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://repository.certum.pl/ctnca.cer09RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.comW.TTFMDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comangNDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/jp/qDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.certum.pl/CPS0RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/jp/DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.comaDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.294356101.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.319948570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.290986801.0000000007E5B000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/DDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288563700.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288455261.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288487364.0000000007E5B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.comdDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286646679.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287133112.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286605058.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.comC.TTFDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286646679.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://yandex.ocsp-responder.com03RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlNDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cnDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283132405.0000000007E3A000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/r-tDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286437473.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286553878.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  77.88.21.158
                                                                  		smtp.yandex.ruRussian Federation
                                                                  		13238YANDEXRUfalse

                                                                  General Information

                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                  Analysis ID:553161
                                                                  Start date:14.01.2022
                                                                  Start time:12:12:25
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 10m 22s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:25
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@9/9@2/1
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HDC Information:
                                                                  • Successful, ratio: 1.4% (good quality ratio 0.9%)
                                                                  • Quality average: 40%
                                                                  • Quality standard deviation: 33.9%
                                                                  HCA Information:
                                                                  • Successful, ratio: 99%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .exe
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 23.211.4.86, 23.211.6.115, 20.54.110.249
                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  12:13:49API Interceptor1x Sleep call for process: DHL Delivery Invoice AWB 2774038374 .pdf.exe modified
                                                                  12:13:53API Interceptor28x Sleep call for process: powershell.exe modified
                                                                  12:14:07API Interceptor719x Sleep call for process: RegSvcs.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  No context

                                                                  Domains

                                                                  No context

                                                                  ASN

                                                                  No context

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Delivery Invoice AWB 2774038374 .pdf.exe.log
                                                                  Process:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):1310
                                                                  Entropy (8bit):5.345651901398759
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                                  MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                                  SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                                  SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                                  SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                                  Malicious:true
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):22308
                                                                  Entropy (8bit):5.603099437777812
                                                                  Encrypted:false
                                                                  SSDEEP:384:1tCD3Y0nVrWZBf9sFu5SrRn8S0nojultISP7Y9glSJ3xKT1MaXZlbAV7sxwG5ZBQ:Pj1sio8ToClttrlcICefwkVc
                                                                  MD5:DEC43304DCD2328F7D8DF2EEB1F46AFD
                                                                  SHA1:1616F15BA49499E2AF5F150D07B56C9BBA05CAE2
                                                                  SHA-256:25DC17278CD1D2818386B1C56AC734607F636091D6C3396D3A48FBBE41B837DA
                                                                  SHA-512:5C3EC6D0EB58FBA25A90DE636EB05E48F8BA80BCCA863E2D9A94514944A6ACF1D576BCDE88ACD37BF79FD613D16CEEEE475F58715F040AD7FD3CD989736A3CEB
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: @...e...................e...^.X.U.....M...D..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2s24r22.hk2.ps1
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 1
                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnebz11w.tod.psm1
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 1
                                                                  C:\Users\user\AppData\Local\Temp\tmpCDD.tmp
                                                                  Process:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1600
                                                                  Entropy (8bit):5.13189504670977
                                                                  Encrypted:false
                                                                  SSDEEP:24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt+xvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTyv
                                                                  MD5:73DF604589172A494DE9CCA5E3D7A16E
                                                                  SHA1:181096A65607DAB9B1C31F77402B52EB30DFCACD
                                                                  SHA-256:4DFA1BC1558CD76B1C9CF89CF7A3CA77170452041C32EE28D9C239E4249C394F
                                                                  SHA-512:15ADB4BC30D945BC56CAE5D948B21B3B6C725236419BA8EB98345D060E189966814F04ED842CC0D94839AB6830DF72E289C54F24EF3E6224C453BF626595A5CB
                                                                  Malicious:true
                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.
                                                                  C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
                                                                  Process:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):550400
                                                                  Entropy (8bit):7.713292286610871
                                                                  Encrypted:false
                                                                  SSDEEP:12288:pCCqskK777777777777KPQly5rwG67HrPGH6oMSDnL2CgfeWhrek:pCnK777777777777KodpfuH6zSjLt
                                                                  MD5:A44512118BE5E5420C9D710A96353898
                                                                  SHA1:5867F5FAF6ACFA48B90F21D655411FD98D50136D
                                                                  SHA-256:9CA32954BC9AE96F11D246CA45443522A731631C154F768938C556869E01B555
                                                                  SHA-512:A8251DCA003FF59B30681FC6AF02F18373638C8A6485D1EA73AB8299A02D287CB5C55F36BF30F960C7951259827B3D48EDAFD6A032E437CE5DB1C889BA230F01
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 51%
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o..a..............0..\...........y... ........@.. ....................................@..................................y..O.................................................................................... ............... ..H............text....Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................y......H.......@...l...............P............................................up~..y.AUu&.2r.K.L@...#g.g.2..k..g.E%.;UN..C.9....G........s5K.W[..Yg..A..t...j...t{.....%../..z.NM.Y..b.N.A.1{.6.s.].U..X.."dO...h8O.5b..I.O..b...y.N.J.[..D..Vb.....yY....J7.......Z(......XM.0q...>a...3a.-(O]^..3...........<.......H..CR.U.......L.b^.Ak.a{b.f.......z.6..o..X..Z...,c..{.&.3S.=x...c1:.<.Lo2.[....8fPG...4..M.-.f.....V..g.......z.........,l.|G....g`..pA-...#..O.[..h.,.*@..
                                                                  C:\Users\user\AppData\Roaming\uHlRqGSIW.exe:Zone.Identifier
                                                                  Process:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                  C:\Users\user\AppData\Roaming\yqbb5t2l.acx\Chrome\Default\Cookies
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):0.698304057893793
                                                                  Encrypted:false
                                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
                                                                  MD5:3806E8153A55C1A2DA0B09461A9C882A
                                                                  SHA1:BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
                                                                  SHA-256:366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
                                                                  SHA-512:31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
                                                                  Malicious:false
                                                                  Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\Documents\20220114\PowerShell_transcript.414408.8ocki2zp.20220114121352.txt
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):5795
                                                                  Entropy (8bit):5.395583878877797
                                                                  Encrypted:false
                                                                  SSDEEP:96:BZN/jNsqDo1ZpZz/jNsqDo1ZiFftjZk/jNsqDo1ZisddfZg:N
                                                                  MD5:C21A8A6A317627BC5A69E31FAF91D394
                                                                  SHA1:6B2DE34F22814D565DF6DE4EC4CAAD2CF454F894
                                                                  SHA-256:B03D80345CD4A86A1A5176787D87F97434FD9A9661709B48049DBB5A451C6D7F
                                                                  SHA-512:3CA45FF9627199A0F6CDB32B23E76DA16BDA09A2748D431F70B95670E769FC1A1EA2BCBDDCB186AEA5567E4E9F4DA5F23A321225D73B1740A1742E224FB66241
                                                                  Malicious:false
                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114121353..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 414408 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\uHlRqGSIW.exe..Process ID: 6916..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114121353..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\uHlRqGSIW.exe..**********************..Windows PowerShell transcript start..Start time: 20220114121720..Username: computer\user..RunAs User: computer\a

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.713292286610871
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                  File size:550400
                                                                  MD5:a44512118be5e5420c9d710a96353898
                                                                  SHA1:5867f5faf6acfa48b90f21d655411fd98d50136d
                                                                  SHA256:9ca32954bc9ae96f11d246ca45443522a731631c154f768938c556869e01b555
                                                                  SHA512:a8251dca003ff59b30681fc6af02f18373638c8a6485d1ea73ab8299a02d287cb5c55f36bf30f960c7951259827b3d48edafd6a032e437ce5db1c889ba230f01
                                                                  SSDEEP:12288:pCCqskK777777777777KPQly5rwG67HrPGH6oMSDnL2CgfeWhrek:pCnK777777777777KodpfuH6zSjLt
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o..a..............0..\...........y... ........@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4879fe
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x61E0B96F [Thu Jan 13 23:44:47 2022 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x879ac0x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x5d0.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x85a040x85c00False0.852915084696data7.72362140685IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x880000x5d00x600False0.42578125data4.12284332738IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x8a0000xc0x200False0.041015625data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_VERSION0x880a00x344data
                                                                  RT_MANIFEST0x883e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2015
                                                                  Assembly Version1.0.0.0
                                                                  InternalNameNamedPermissionS.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyName
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameram machine
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionram machine
                                                                  OriginalFilenameNamedPermissionS.exe

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 14, 2022 12:15:33.874509096 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:33.937074900 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:33.937484980 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:34.235848904 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:34.236306906 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:34.301373959 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:34.301402092 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:34.301743031 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:34.364252090 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:34.405864954 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:34.413069963 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:34.478431940 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:34.478491068 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:34.478533983 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:34.478569031 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:34.478611946 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:34.478658915 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:34.532310009 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:34.599275112 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:34.640250921 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:34.721071959 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:34.791799068 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:34.793009996 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:34.855753899 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:34.857422113 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:34.946932077 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:34.947916985 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:35.020853996 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:35.021354914 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:35.094919920 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:35.095390081 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:35.158451080 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:35.160027027 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:35.160221100 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:35.161396027 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:35.161506891 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:35.223469019 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:35.224037886 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:35.784244061 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:35.827836990 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:36.580534935 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:36.643496037 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:36.643518925 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:36.644445896 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:36.659677982 CET49811587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:36.660762072 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:36.719041109 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:36.720439911 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:36.722167969 CET5874981177.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:36.943209887 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:36.943656921 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.002892971 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.002964973 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.003392935 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.062109947 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.063049078 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.132071018 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.132101059 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.132119894 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.132133961 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.132322073 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.148504019 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.213006973 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.216746092 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.287678003 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.288562059 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.351753950 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.352478981 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.448348045 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.449217081 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.532568932 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.533130884 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.622792959 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.623269081 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.685412884 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.687798023 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.687963009 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.688097000 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.688380957 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.688657045 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.688740969 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.688827991 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.688916922 CET49812587192.168.2.577.88.21.158
                                                                  Jan 14, 2022 12:15:37.743338108 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.744195938 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.744332075 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:37.744668961 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:38.089783907 CET5874981277.88.21.158192.168.2.5
                                                                  Jan 14, 2022 12:15:38.140506983 CET49812587192.168.2.577.88.21.158

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 14, 2022 12:15:33.791867971 CET6007553192.168.2.58.8.8.8
                                                                  Jan 14, 2022 12:15:33.811069965 CET53600758.8.8.8192.168.2.5
                                                                  Jan 14, 2022 12:15:33.826654911 CET5501653192.168.2.58.8.8.8
                                                                  Jan 14, 2022 12:15:33.844248056 CET53550168.8.8.8192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Jan 14, 2022 12:15:33.791867971 CET192.168.2.58.8.8.80xf445Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                  Jan 14, 2022 12:15:33.826654911 CET192.168.2.58.8.8.80xdac9Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Jan 14, 2022 12:15:33.811069965 CET8.8.8.8192.168.2.50xf445No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                  Jan 14, 2022 12:15:33.811069965 CET8.8.8.8192.168.2.50xf445No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                  Jan 14, 2022 12:15:33.844248056 CET8.8.8.8192.168.2.50xdac9No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                  Jan 14, 2022 12:15:33.844248056 CET8.8.8.8192.168.2.50xdac9No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)

                                                                  SMTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  Jan 14, 2022 12:15:34.235848904 CET5874981177.88.21.158192.168.2.5220 myt6-efff10c3476a.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1642158934-DxmiumVCju-FXPeFLdT
                                                                  Jan 14, 2022 12:15:34.236306906 CET49811587192.168.2.577.88.21.158EHLO 414408
                                                                  Jan 14, 2022 12:15:34.301402092 CET5874981177.88.21.158192.168.2.5250-myt6-efff10c3476a.qloud-c.yandex.net
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-SIZE 53477376
                                                                  250-STARTTLS
                                                                  250-AUTH LOGIN PLAIN XOAUTH2
                                                                  250-DSN
                                                                  250 ENHANCEDSTATUSCODES
                                                                  Jan 14, 2022 12:15:34.301743031 CET49811587192.168.2.577.88.21.158STARTTLS
                                                                  Jan 14, 2022 12:15:34.364252090 CET5874981177.88.21.158192.168.2.5220 Go ahead
                                                                  Jan 14, 2022 12:15:36.943209887 CET5874981277.88.21.158192.168.2.5220 iva5-057a0d1fbbd8.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1642158936-fWlcdS4Ymy-FaQiJarb
                                                                  Jan 14, 2022 12:15:36.943656921 CET49812587192.168.2.577.88.21.158EHLO 414408
                                                                  Jan 14, 2022 12:15:37.002964973 CET5874981277.88.21.158192.168.2.5250-iva5-057a0d1fbbd8.qloud-c.yandex.net
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-SIZE 53477376
                                                                  250-STARTTLS
                                                                  250-AUTH LOGIN PLAIN XOAUTH2
                                                                  250-DSN
                                                                  250 ENHANCEDSTATUSCODES
                                                                  Jan 14, 2022 12:15:37.003392935 CET49812587192.168.2.577.88.21.158STARTTLS
                                                                  Jan 14, 2022 12:15:37.062109947 CET5874981277.88.21.158192.168.2.5220 Go ahead

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: DHL Delivery Invoice AWB 2774038374 .pdf.exe PID: 6344 Parent PID: 484

                                                                  General

                                                                  Start time:12:13:40
                                                                  Start date:14/01/2022
                                                                  Path:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe"
                                                                  Imagebase:0x670000
                                                                  File size:550400 bytes
                                                                  MD5 hash:A44512118BE5E5420C9D710A96353898
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Analysis Process: powershell.exe PID: 6916 Parent PID: 6344

                                                                  General

                                                                  Start time:12:13:50
                                                                  Start date:14/01/2022
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
                                                                  Imagebase:0x9a0000
                                                                  File size:430592 bytes
                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  Analysis Process: conhost.exe PID: 6924 Parent PID: 6916

                                                                  General

                                                                  Start time:12:13:51
                                                                  Start date:14/01/2022
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7ecfc0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: schtasks.exe PID: 6936 Parent PID: 6344

                                                                  General

                                                                  Start time:12:13:51
                                                                  Start date:14/01/2022
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp
                                                                  Imagebase:0xa50000
                                                                  File size:185856 bytes
                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: conhost.exe PID: 7044 Parent PID: 6936

                                                                  General

                                                                  Start time:12:13:52
                                                                  Start date:14/01/2022
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7ecfc0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: RegSvcs.exe PID: 7092 Parent PID: 6344

                                                                  General

                                                                  Start time:12:13:54
                                                                  Start date:14/01/2022
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  Imagebase:0xb50000
                                                                  File size:45152 bytes
                                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.313434658.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.313434658.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >