Windows Analysis Report DHL_AWB_NO#907853880911.exe

Overview

General Information

Sample Name: DHL_AWB_NO#907853880911.exe
Analysis ID: 532893
MD5: 37340b33801b049ca07055a4bcca5f27
SHA1: f742cbc4772f88bcc3e98b3a1f2396d813cc0ff5
SHA256: ea87186f72f8963ae73aaa33ab50634f83f945cdef2b73e7bef08dce61807c56
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000000.672669530.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.makheads.com/fl9w/"], "decoy": ["alicebowtique.com", "way2discounts.com", "chihangjingmi.com", "exmcap.com", "artisquid.com", "financelbs.com", "tresholdnetwork.com", "www-9367.com", "funtripsouthindia.com", "ibew-neca.com", "elqaunim.com", "gbetapi.com", "turkthee.com", "greaterdetroitrealtyexpert.com", "springhousevet.com", "dgjt1688.com", "broomsweeping.com", "bettyfred.xyz", "afmcabnot6.xyz", "toylandmetaverse.com", "livelifeloveloes.com", "tabuchikazuharu.com", "johnnymarrjaguarguitar.com", "pintoppers.net", "anstransport.net", "gazprommeta.com", "starisle.online", "abbeastore.com", "piratcigo.com", "opito.digital", "bemaster.guru", "foerderportal-thueringen.net", "mendy.link", "qasimabdullah.com", "michaelsmetaverse.com", "oasiganaiblog.com", "metaplayvr.com", "lesspainmoresleep.com", "600717ua.xyz", "lauraderksen.com", "listentoyourovo.com", "businessfunnelpro.com", "lowpricetoday.online", "etutorpay.com", "uootpon.xyz", "dazelu8.com", "kirklandweightlosssecret.com", "godrunner001.com", "melvinmillsroof.com", "herdeiras.com", "fitztoursmontreal.com", "super-ultra-porn.net", "choumok-bom.com", "raribledollar.com", "womencando.info", "meicarijp-jpo.com", "yymfzp.com", "sops.wiki", "rusungolf.com", "smellyrose.com", "hueslook.club", "screenlyco.com", "akasamotor.online", "formacioneducaciondesarollo.com"]}
Multi AV Scanner detection for submitted file
Source: DHL_AWB_NO#907853880911.exe Virustotal: Detection: 25% Perma Link
Source: DHL_AWB_NO#907853880911.exe Metadefender: Detection: 31% Perma Link
Source: DHL_AWB_NO#907853880911.exe ReversingLabs: Detection: 51%
Yara detected FormBook
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.719427940.000000000E898000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.672669530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.676498068.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.930477185.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.677126052.000000000414A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.929049449.0000000000780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.673053998.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.928132789.0000000000150000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.736134377.0000000001060000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.732545477.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.734719303.0000000000C30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.705738120.000000000E898000.00000040.00020000.sdmp, type: MEMORY
Multi AV Scanner detection for domain / URL
Source: www.makheads.com/fl9w/ Virustotal: Detection: 9% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: DHL_AWB_NO#907853880911.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: DHL_AWB_NO#907853880911.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: DHL_AWB_NO#907853880911.exe, 00000002.00000002.740455030.00000000011BF000.00000040.00000001.sdmp, DHL_AWB_NO#907853880911.exe, 00000002.00000002.736402550.00000000010A0000.00000040.00000001.sdmp, mstsc.exe, 00000009.00000002.932676468.00000000047BF000.00000040.00000001.sdmp, mstsc.exe, 00000009.00000002.932440573.00000000046A0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: DHL_AWB_NO#907853880911.exe, DHL_AWB_NO#907853880911.exe, 00000002.00000002.740455030.00000000011BF000.00000040.00000001.sdmp, DHL_AWB_NO#907853880911.exe, 00000002.00000002.736402550.00000000010A0000.00000040.00000001.sdmp, mstsc.exe, mstsc.exe, 00000009.00000002.932676468.00000000047BF000.00000040.00000001.sdmp, mstsc.exe, 00000009.00000002.932440573.00000000046A0000.00000040.00000001.sdmp
Source: Binary string: mstsc.pdbGCTL source: DHL_AWB_NO#907853880911.exe, 00000002.00000002.742005114.0000000002D40000.00000040.00020000.sdmp
Source: Binary string: mstsc.pdb source: DHL_AWB_NO#907853880911.exe, 00000002.00000002.742005114.0000000002D40000.00000040.00020000.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 4x nop then pop edi 2_2_00416CD6
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 4x nop then pop edi 2_2_00417DA8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4x nop then pop edi 9_2_00166CD6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4x nop then pop edi 9_2_00167DA8

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.makheads.com/fl9w/
Source: explorer.exe, 0000000F.00000000.845439337.0000000006640000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.895194178.0000000006640000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: unknown DNS traffic detected: queries for: www.ibew-neca.com

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.719427940.000000000E898000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.672669530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.676498068.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.930477185.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.677126052.000000000414A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.929049449.0000000000780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.673053998.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.928132789.0000000000150000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.736134377.0000000001060000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.732545477.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.734719303.0000000000C30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.705738120.000000000E898000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.719427940.000000000E898000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.719427940.000000000E898000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.672669530.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.672669530.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.676498068.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.676498068.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.930477185.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.930477185.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.677126052.000000000414A000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.677126052.000000000414A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.929049449.0000000000780000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.929049449.0000000000780000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.673053998.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.673053998.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.928132789.0000000000150000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.928132789.0000000000150000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.736134377.0000000001060000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.736134377.0000000001060000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.732545477.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.732545477.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.734719303.0000000000C30000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.734719303.0000000000C30000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.705738120.000000000E898000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.705738120.000000000E898000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: DHL_AWB_NO#907853880911.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.719427940.000000000E898000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.719427940.000000000E898000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.672669530.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.672669530.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.676498068.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.676498068.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.930477185.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.930477185.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.677126052.000000000414A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.677126052.000000000414A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.929049449.0000000000780000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.929049449.0000000000780000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.673053998.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.673053998.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.928132789.0000000000150000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.928132789.0000000000150000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.736134377.0000000001060000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.736134377.0000000001060000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.732545477.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.732545477.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.734719303.0000000000C30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.734719303.0000000000C30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.705738120.000000000E898000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.705738120.000000000E898000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041E86E 2_2_0041E86E
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_00401026 2_2_00401026
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041E195 2_2_0041E195
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041D9A3 2_2_0041D9A3
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041E25A 2_2_0041E25A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_00409E4D 2_2_00409E4D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_00409E50 2_2_00409E50
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041DE24 2_2_0041DE24
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041D7AB 2_2_0041D7AB
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CF900 2_2_010CF900
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E4120 2_2_010E4120
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181002 2_2_01181002
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0119E824 2_2_0119E824
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA830 2_2_010EA830
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010DB090 2_2_010DB090
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F20A0 2_2_010F20A0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011920A8 2_2_011920A8
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011928EC 2_2_011928EC
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01192B28 2_2_01192B28
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EAB40 2_2_010EAB40
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FEBB0 2_2_010FEBB0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011803DA 2_2_011803DA
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118DBD2 2_2_0118DBD2
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FABD8 2_2_010FABD8
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011723E3 2_2_011723E3
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0117FA2B 2_2_0117FA2B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011922AE 2_2_011922AE
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01192D07 2_2_01192D07
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C0D20 2_2_010C0D20
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01191D55 2_2_01191D55
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01182D82 2_2_01182D82
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011925DD 2_2_011925DD
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010DD5E0 2_2_010DD5E0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D841F 2_2_010D841F
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118D466 2_2_0118D466
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0119DFCE 2_2_0119DFCE
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01191FF1 2_2_01191FF1
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118D616 2_2_0118D616
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E6E30 2_2_010E6E30
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01192EF7 2_2_01192EF7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0478D466 9_2_0478D466
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D841F 9_2_046D841F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04791D55 9_2_04791D55
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046C0D20 9_2_046C0D20
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04792D07 9_2_04792D07
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046DD5E0 9_2_046DD5E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047925DD 9_2_047925DD
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F2581 9_2_046F2581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046E6E30 9_2_046E6E30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0478D616 9_2_0478D616
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04792EF7 9_2_04792EF7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04791FF1 9_2_04791FF1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0479DFCE 9_2_0479DFCE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0479E824 9_2_0479E824
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781002 9_2_04781002
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047928EC 9_2_047928EC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F20A0 9_2_046F20A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047920A8 9_2_047920A8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046DB090 9_2_046DB090
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046E4120 9_2_046E4120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046CF900 9_2_046CF900
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047922AE 9_2_047922AE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04792B28 9_2_04792B28
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047803DA 9_2_047803DA
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0478DBD2 9_2_0478DBD2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046FEBB0 9_2_046FEBB0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016E86E 9_2_0016E86E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016E195 9_2_0016E195
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016D9A3 9_2_0016D9A3
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016E25A 9_2_0016E25A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_00152D90 9_2_00152D90
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_00152D87 9_2_00152D87
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016DE24 9_2_0016DE24
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_00159E50 9_2_00159E50
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_00159E4D 9_2_00159E4D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_00152FB0 9_2_00152FB0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016D7AB 9_2_0016D7AB
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: String function: 010CB150 appears 133 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 046CB150 appears 45 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041A350 NtCreateFile, 2_2_0041A350
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041A400 NtReadFile, 2_2_0041A400
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041A480 NtClose, 2_2_0041A480
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041A530 NtAllocateVirtualMemory, 2_2_0041A530
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041A34A NtCreateFile, 2_2_0041A34A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041A3FB NtReadFile, 2_2_0041A3FB
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041A47B NtReadFile, 2_2_0041A47B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041A4AA NtClose, 2_2_0041A4AA
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041A52C NtAllocateVirtualMemory, 2_2_0041A52C
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041A5AA NtAllocateVirtualMemory, 2_2_0041A5AA
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_01109910
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011099A0 NtCreateSection,LdrInitializeThunk, 2_2_011099A0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109840 NtDelayExecution,LdrInitializeThunk, 2_2_01109840
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_01109860
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011098F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_011098F0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_01109A00
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109A20 NtResumeThread,LdrInitializeThunk, 2_2_01109A20
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109A50 NtCreateFile,LdrInitializeThunk, 2_2_01109A50
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109540 NtReadFile,LdrInitializeThunk, 2_2_01109540
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011095D0 NtClose,LdrInitializeThunk, 2_2_011095D0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109710 NtQueryInformationToken,LdrInitializeThunk, 2_2_01109710
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109780 NtMapViewOfSection,LdrInitializeThunk, 2_2_01109780
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011097A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_011097A0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_01109660
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011096E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_011096E0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109950 NtQueueApcThread, 2_2_01109950
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011099D0 NtCreateProcessEx, 2_2_011099D0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109820 NtEnumerateKey, 2_2_01109820
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0110B040 NtSuspendThread, 2_2_0110B040
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011098A0 NtWriteVirtualMemory, 2_2_011098A0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109B00 NtSetValueKey, 2_2_01109B00
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0110A3B0 NtGetContextThread, 2_2_0110A3B0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109A10 NtQuerySection, 2_2_01109A10
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109A80 NtOpenDirectoryObject, 2_2_01109A80
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0110AD30 NtSetContextThread, 2_2_0110AD30
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109520 NtWaitForSingleObject, 2_2_01109520
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109560 NtWriteFile, 2_2_01109560
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011095F0 NtQueryInformationFile, 2_2_011095F0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0110A710 NtOpenProcessToken, 2_2_0110A710
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109730 NtQueryVirtualMemory, 2_2_01109730
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0110A770 NtOpenThread, 2_2_0110A770
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109770 NtSetInformationFile, 2_2_01109770
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109760 NtOpenProcess, 2_2_01109760
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109FE0 NtCreateMutant, 2_2_01109FE0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109610 NtEnumerateValueKey, 2_2_01109610
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109650 NtQueryValueKey, 2_2_01109650
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01109670 NtQueryInformationProcess, 2_2_01109670
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011096D0 NtCreateKey, 2_2_011096D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709540 NtReadFile,LdrInitializeThunk, 9_2_04709540
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047095D0 NtClose,LdrInitializeThunk, 9_2_047095D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_04709660
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709650 NtQueryValueKey,LdrInitializeThunk, 9_2_04709650
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047096E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_047096E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047096D0 NtCreateKey,LdrInitializeThunk, 9_2_047096D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709710 NtQueryInformationToken,LdrInitializeThunk, 9_2_04709710
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709FE0 NtCreateMutant,LdrInitializeThunk, 9_2_04709FE0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709780 NtMapViewOfSection,LdrInitializeThunk, 9_2_04709780
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_04709860
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709840 NtDelayExecution,LdrInitializeThunk, 9_2_04709840
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_04709910
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047099A0 NtCreateSection,LdrInitializeThunk, 9_2_047099A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709A50 NtCreateFile,LdrInitializeThunk, 9_2_04709A50
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709560 NtWriteFile, 9_2_04709560
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0470AD30 NtSetContextThread, 9_2_0470AD30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709520 NtWaitForSingleObject, 9_2_04709520
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047095F0 NtQueryInformationFile, 9_2_047095F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709670 NtQueryInformationProcess, 9_2_04709670
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709610 NtEnumerateValueKey, 9_2_04709610
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0470A770 NtOpenThread, 9_2_0470A770
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709770 NtSetInformationFile, 9_2_04709770
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709760 NtOpenProcess, 9_2_04709760
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709730 NtQueryVirtualMemory, 9_2_04709730
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0470A710 NtOpenProcessToken, 9_2_0470A710
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047097A0 NtUnmapViewOfSection, 9_2_047097A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0470B040 NtSuspendThread, 9_2_0470B040
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709820 NtEnumerateKey, 9_2_04709820
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047098F0 NtReadVirtualMemory, 9_2_047098F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047098A0 NtWriteVirtualMemory, 9_2_047098A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709950 NtQueueApcThread, 9_2_04709950
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047099D0 NtCreateProcessEx, 9_2_047099D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709A20 NtResumeThread, 9_2_04709A20
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709A10 NtQuerySection, 9_2_04709A10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709A00 NtProtectVirtualMemory, 9_2_04709A00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709A80 NtOpenDirectoryObject, 9_2_04709A80
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04709B00 NtSetValueKey, 9_2_04709B00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0470A3B0 NtGetContextThread, 9_2_0470A3B0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016A350 NtCreateFile, 9_2_0016A350
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016A400 NtReadFile, 9_2_0016A400
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016A480 NtClose, 9_2_0016A480
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016A530 NtAllocateVirtualMemory, 9_2_0016A530
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016A34A NtCreateFile, 9_2_0016A34A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016A3FB NtReadFile, 9_2_0016A3FB
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016A47B NtReadFile, 9_2_0016A47B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016A4AA NtClose, 9_2_0016A4AA
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016A52C NtAllocateVirtualMemory, 9_2_0016A52C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016A5AA NtAllocateVirtualMemory, 9_2_0016A5AA
Sample file is different than original file name gathered from version info
Source: DHL_AWB_NO#907853880911.exe Binary or memory string: OriginalFilename vs DHL_AWB_NO#907853880911.exe
Source: DHL_AWB_NO#907853880911.exe, 00000000.00000000.661693370.0000000000B32000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameITypeLibExporterNameProvid.exeF vs DHL_AWB_NO#907853880911.exe
Source: DHL_AWB_NO#907853880911.exe, 00000000.00000002.676134512.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs DHL_AWB_NO#907853880911.exe
Source: DHL_AWB_NO#907853880911.exe, 00000000.00000002.676733257.0000000003FAB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dllF vs DHL_AWB_NO#907853880911.exe
Source: DHL_AWB_NO#907853880911.exe Binary or memory string: OriginalFilename vs DHL_AWB_NO#907853880911.exe
Source: DHL_AWB_NO#907853880911.exe, 00000002.00000000.673078741.0000000000602000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameITypeLibExporterNameProvid.exeF vs DHL_AWB_NO#907853880911.exe
Source: DHL_AWB_NO#907853880911.exe, 00000002.00000002.740455030.00000000011BF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DHL_AWB_NO#907853880911.exe
Source: DHL_AWB_NO#907853880911.exe, 00000002.00000002.742234522.0000000002E63000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamemstsc.exej% vs DHL_AWB_NO#907853880911.exe
Source: DHL_AWB_NO#907853880911.exe, 00000002.00000002.741583326.000000000134F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DHL_AWB_NO#907853880911.exe
Source: DHL_AWB_NO#907853880911.exe Binary or memory string: OriginalFilenameITypeLibExporterNameProvid.exeF vs DHL_AWB_NO#907853880911.exe
PE file contains strange resources
Source: DHL_AWB_NO#907853880911.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DHL_AWB_NO#907853880911.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DHL_AWB_NO#907853880911.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DHL_AWB_NO#907853880911.exe Virustotal: Detection: 25%
Source: DHL_AWB_NO#907853880911.exe Metadefender: Detection: 31%
Source: DHL_AWB_NO#907853880911.exe ReversingLabs: Detection: 51%
Source: DHL_AWB_NO#907853880911.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe "C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe"
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process created: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process created: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_AWB_NO#907853880911.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/1@1/0
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_01
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Mutant created: \Sessions\1\BaseNamedObjects\BEvagxB
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DHL_AWB_NO#907853880911.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_AWB_NO#907853880911.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: DHL_AWB_NO#907853880911.exe, 00000002.00000002.740455030.00000000011BF000.00000040.00000001.sdmp, DHL_AWB_NO#907853880911.exe, 00000002.00000002.736402550.00000000010A0000.00000040.00000001.sdmp, mstsc.exe, 00000009.00000002.932676468.00000000047BF000.00000040.00000001.sdmp, mstsc.exe, 00000009.00000002.932440573.00000000046A0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: DHL_AWB_NO#907853880911.exe, DHL_AWB_NO#907853880911.exe, 00000002.00000002.740455030.00000000011BF000.00000040.00000001.sdmp, DHL_AWB_NO#907853880911.exe, 00000002.00000002.736402550.00000000010A0000.00000040.00000001.sdmp, mstsc.exe, mstsc.exe, 00000009.00000002.932676468.00000000047BF000.00000040.00000001.sdmp, mstsc.exe, 00000009.00000002.932440573.00000000046A0000.00000040.00000001.sdmp
Source: Binary string: mstsc.pdbGCTL source: DHL_AWB_NO#907853880911.exe, 00000002.00000002.742005114.0000000002D40000.00000040.00020000.sdmp
Source: Binary string: mstsc.pdb source: DHL_AWB_NO#907853880911.exe, 00000002.00000002.742005114.0000000002D40000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: DHL_AWB_NO#907853880911.exe, _PS360Drum/FrmMain.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.DHL_AWB_NO#907853880911.exe.b30000.0.unpack, _PS360Drum/FrmMain.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.DHL_AWB_NO#907853880911.exe.b30000.0.unpack, _PS360Drum/FrmMain.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.DHL_AWB_NO#907853880911.exe.600000.1.unpack, _PS360Drum/FrmMain.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.DHL_AWB_NO#907853880911.exe.600000.5.unpack, _PS360Drum/FrmMain.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.2.DHL_AWB_NO#907853880911.exe.600000.1.unpack, _PS360Drum/FrmMain.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.DHL_AWB_NO#907853880911.exe.600000.2.unpack, _PS360Drum/FrmMain.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.DHL_AWB_NO#907853880911.exe.600000.0.unpack, _PS360Drum/FrmMain.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.DHL_AWB_NO#907853880911.exe.600000.7.unpack, _PS360Drum/FrmMain.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.DHL_AWB_NO#907853880911.exe.600000.3.unpack, _PS360Drum/FrmMain.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.DHL_AWB_NO#907853880911.exe.600000.9.unpack, _PS360Drum/FrmMain.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_00417008 push eax; ret 2_2_0041700A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041EA54 push dword ptr [56382DF9h]; ret 2_2_0041EA74
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_00417C59 pushfd ; iretd 2_2_00417C5A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041D4F2 push eax; ret 2_2_0041D4F8
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041D4FB push eax; ret 2_2_0041D562
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041D4A5 push eax; ret 2_2_0041D4F8
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041D55C push eax; ret 2_2_0041D562
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_004165DC push es; iretd 2_2_004165DD
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0041774A push ecx; retf 2_2_00417751
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0111D0D1 push ecx; ret 2_2_0111D0E4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0471D0D1 push ecx; ret 9_2_0471D0E4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_00167008 push eax; ret 9_2_0016700A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016EA54 push dword ptr [56382DF9h]; ret 9_2_0016EA74
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_00167C59 pushfd ; iretd 9_2_00167C5A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016D4A5 push eax; ret 9_2_0016D4F8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016D4F2 push eax; ret 9_2_0016D4F8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016D4FB push eax; ret 9_2_0016D562
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016D55C push eax; ret 9_2_0016D562
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_001665DC push es; iretd 9_2_001665DD
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0016774A push ecx; retf 9_2_00167751
Source: initial sample Static PE information: section name: .text entropy: 7.7277719097

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\mstsc.exe Process created: /c del "C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe"
Source: C:\Windows\SysWOW64\mstsc.exe Process created: /c del "C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe" Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.DHL_AWB_NO#907853880911.exe.2ef3880.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.676134512.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_AWB_NO#907853880911.exe PID: 7156, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: DHL_AWB_NO#907853880911.exe, 00000000.00000002.676134512.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: DHL_AWB_NO#907853880911.exe, 00000000.00000002.676134512.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 0000000000159904 second address: 000000000015990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 0000000000159B6E second address: 0000000000159B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe TID: 7160 Thread sleep time: -33950s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe TID: 5128 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\mstsc.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Thread delayed: delay time: 33950 Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000F.00000003.910451729.0000000006914000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BeP
Source: explorer.exe, 0000000F.00000003.892678163.0000000006936000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000F.00000000.834831515.00000000013FF000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000F.00000003.843225044.00000000068F0000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B2
Source: explorer.exe, 0000000F.00000003.844279531.0000000006936000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ort (PPPOE)
Source: explorer.exe, 0000000F.00000000.873245390.000000000FA69000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL_AWB_NO#907853880911.exe, 00000000.00000002.676134512.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000F.00000003.838440381.00000000068DB000.00000004.00000001.sdmp Binary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94fZ
Source: explorer.exe, 0000000F.00000003.858695128.000000000FAD7000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x
Source: explorer.exe, 0000000F.00000003.911854479.00000000069F5000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B)
Source: explorer.exe, 0000000F.00000003.838239326.0000000006936000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\!
Source: explorer.exe, 0000000F.00000003.847371587.000000000FA69000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B9/
Source: explorer.exe, 00000005.00000000.684354422.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000000.847452775.0000000006886000.00000004.00000001.sdmp Binary or memory string: Prod_VMware_SATA_CD00#5&280bP
Source: explorer.exe, 0000000F.00000003.842878198.0000000006893000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000F.00000003.913038679.00000000069F7000.00000004.00000001.sdmp Binary or memory string: 8f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B[
Source: explorer.exe, 0000000F.00000000.897004002.00000000068DC000.00000004.00000001.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATAV
Source: explorer.exe, 0000000F.00000003.838239326.0000000006936000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\>
Source: explorer.exe, 00000005.00000000.678837034.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.684528225.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000000F.00000003.870475999.000000000FADC000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 0000000F.00000003.876351845.0000000006914000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BnQ
Source: explorer.exe, 0000000F.00000000.897641119.0000000007040000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000007!
Source: explorer.exe, 0000000F.00000003.870475999.000000000FADC000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{
Source: explorer.exe, 00000005.00000000.684656202.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 0000000F.00000003.870475999.000000000FADC000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}|
Source: explorer.exe, 0000000F.00000000.873245390.000000000FA69000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft\WindowsAppsPATHEXT=.COBP/
Source: DHL_AWB_NO#907853880911.exe, 00000000.00000002.676134512.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000F.00000003.892678163.0000000006936000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000F.00000003.838239326.0000000006936000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.911854479.00000000069F5000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BM
Source: explorer.exe, 0000000F.00000003.891640168.00000000069F5000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B@
Source: explorer.exe, 0000000F.00000003.892678163.0000000006936000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ort (PPPOE)6
Source: DHL_AWB_NO#907853880911.exe, 00000000.00000002.676134512.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000F.00000003.847371587.000000000FA69000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BG.
Source: explorer.exe, 0000000F.00000003.909071438.00000000069F5000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bw
Source: explorer.exe, 0000000F.00000000.873245390.000000000FA69000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=C:\Program Files (x86)ProB
Source: explorer.exe, 0000000F.00000000.897390395.00000000069F4000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bj
Source: explorer.exe, 00000005.00000000.684528225.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 0000000F.00000000.873245390.000000000FA69000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000000F.00000003.892678163.0000000006936000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}rt
Source: explorer.exe, 0000000F.00000003.890522306.000000000690E000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Packages
Source: explorer.exe, 0000000F.00000003.910003911.00000000069F7000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B[
Source: explorer.exe, 0000000F.00000003.863615553.0000000006936000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ort (PPPOE)[
Source: explorer.exe, 0000000F.00000003.893264606.0000000006914000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B R.
Source: explorer.exe, 0000000F.00000003.847371587.000000000FA69000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BP/
Source: explorer.exe, 0000000F.00000003.890522306.000000000690E000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}microsoft.windows.contenB
Source: DHL_AWB_NO#907853880911.exe, 00000000.00000002.676134512.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000F.00000003.891479405.000000000690E000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00
Source: explorer.exe, 0000000F.00000000.873245390.000000000FA69000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B](
Source: explorer.exe, 0000000F.00000003.892678163.0000000006936000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.849093600.00000000069EA000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\X
Source: explorer.exe, 00000005.00000000.680799524.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.834800963.00000000067D6000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000@v
Source: explorer.exe, 0000000F.00000003.870475999.000000000FADC000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
Source: explorer.exe, 0000000F.00000003.870475999.000000000FADC000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 0000000F.00000003.839675894.0000000006A36000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B}-
Source: explorer.exe, 0000000F.00000003.870475999.000000000FADC000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
Source: explorer.exe, 0000000F.00000003.838239326.0000000006936000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\.
Source: explorer.exe, 0000000F.00000003.834800963.00000000067D6000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000F.00000000.873245390.000000000FA69000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B,.

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Enables debug privileges
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C9100 mov eax, dword ptr fs:[00000030h] 2_2_010C9100
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C9100 mov eax, dword ptr fs:[00000030h] 2_2_010C9100
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C9100 mov eax, dword ptr fs:[00000030h] 2_2_010C9100
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E4120 mov eax, dword ptr fs:[00000030h] 2_2_010E4120
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E4120 mov eax, dword ptr fs:[00000030h] 2_2_010E4120
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E4120 mov eax, dword ptr fs:[00000030h] 2_2_010E4120
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E4120 mov eax, dword ptr fs:[00000030h] 2_2_010E4120
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E4120 mov ecx, dword ptr fs:[00000030h] 2_2_010E4120
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F513A mov eax, dword ptr fs:[00000030h] 2_2_010F513A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F513A mov eax, dword ptr fs:[00000030h] 2_2_010F513A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EB944 mov eax, dword ptr fs:[00000030h] 2_2_010EB944
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EB944 mov eax, dword ptr fs:[00000030h] 2_2_010EB944
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CC962 mov eax, dword ptr fs:[00000030h] 2_2_010CC962
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CB171 mov eax, dword ptr fs:[00000030h] 2_2_010CB171
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CB171 mov eax, dword ptr fs:[00000030h] 2_2_010CB171
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FA185 mov eax, dword ptr fs:[00000030h] 2_2_010FA185
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EC182 mov eax, dword ptr fs:[00000030h] 2_2_010EC182
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F2990 mov eax, dword ptr fs:[00000030h] 2_2_010F2990
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011451BE mov eax, dword ptr fs:[00000030h] 2_2_011451BE
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011451BE mov eax, dword ptr fs:[00000030h] 2_2_011451BE
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011451BE mov eax, dword ptr fs:[00000030h] 2_2_011451BE
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011451BE mov eax, dword ptr fs:[00000030h] 2_2_011451BE
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F61A0 mov eax, dword ptr fs:[00000030h] 2_2_010F61A0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F61A0 mov eax, dword ptr fs:[00000030h] 2_2_010F61A0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF mov ecx, dword ptr fs:[00000030h] 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF mov ecx, dword ptr fs:[00000030h] 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF mov eax, dword ptr fs:[00000030h] 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF mov ecx, dword ptr fs:[00000030h] 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF mov ecx, dword ptr fs:[00000030h] 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF mov eax, dword ptr fs:[00000030h] 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF mov ecx, dword ptr fs:[00000030h] 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF mov ecx, dword ptr fs:[00000030h] 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF mov eax, dword ptr fs:[00000030h] 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF mov ecx, dword ptr fs:[00000030h] 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF mov ecx, dword ptr fs:[00000030h] 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E99BF mov eax, dword ptr fs:[00000030h] 2_2_010E99BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011469A6 mov eax, dword ptr fs:[00000030h] 2_2_011469A6
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011849A4 mov eax, dword ptr fs:[00000030h] 2_2_011849A4
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011849A4 mov eax, dword ptr fs:[00000030h] 2_2_011849A4
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011849A4 mov eax, dword ptr fs:[00000030h] 2_2_011849A4
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011849A4 mov eax, dword ptr fs:[00000030h] 2_2_011849A4
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CB1E1 mov eax, dword ptr fs:[00000030h] 2_2_010CB1E1
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CB1E1 mov eax, dword ptr fs:[00000030h] 2_2_010CB1E1
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CB1E1 mov eax, dword ptr fs:[00000030h] 2_2_010CB1E1
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011541E8 mov eax, dword ptr fs:[00000030h] 2_2_011541E8
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01147016 mov eax, dword ptr fs:[00000030h] 2_2_01147016
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01147016 mov eax, dword ptr fs:[00000030h] 2_2_01147016
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01147016 mov eax, dword ptr fs:[00000030h] 2_2_01147016
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01194015 mov eax, dword ptr fs:[00000030h] 2_2_01194015
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01194015 mov eax, dword ptr fs:[00000030h] 2_2_01194015
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F002D mov eax, dword ptr fs:[00000030h] 2_2_010F002D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F002D mov eax, dword ptr fs:[00000030h] 2_2_010F002D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F002D mov eax, dword ptr fs:[00000030h] 2_2_010F002D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F002D mov eax, dword ptr fs:[00000030h] 2_2_010F002D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F002D mov eax, dword ptr fs:[00000030h] 2_2_010F002D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010DB02A mov eax, dword ptr fs:[00000030h] 2_2_010DB02A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010DB02A mov eax, dword ptr fs:[00000030h] 2_2_010DB02A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010DB02A mov eax, dword ptr fs:[00000030h] 2_2_010DB02A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010DB02A mov eax, dword ptr fs:[00000030h] 2_2_010DB02A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA830 mov eax, dword ptr fs:[00000030h] 2_2_010EA830
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA830 mov eax, dword ptr fs:[00000030h] 2_2_010EA830
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA830 mov eax, dword ptr fs:[00000030h] 2_2_010EA830
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA830 mov eax, dword ptr fs:[00000030h] 2_2_010EA830
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E0050 mov eax, dword ptr fs:[00000030h] 2_2_010E0050
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E0050 mov eax, dword ptr fs:[00000030h] 2_2_010E0050
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01182073 mov eax, dword ptr fs:[00000030h] 2_2_01182073
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01191074 mov eax, dword ptr fs:[00000030h] 2_2_01191074
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C9080 mov eax, dword ptr fs:[00000030h] 2_2_010C9080
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01143884 mov eax, dword ptr fs:[00000030h] 2_2_01143884
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01143884 mov eax, dword ptr fs:[00000030h] 2_2_01143884
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F20A0 mov eax, dword ptr fs:[00000030h] 2_2_010F20A0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F20A0 mov eax, dword ptr fs:[00000030h] 2_2_010F20A0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F20A0 mov eax, dword ptr fs:[00000030h] 2_2_010F20A0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F20A0 mov eax, dword ptr fs:[00000030h] 2_2_010F20A0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F20A0 mov eax, dword ptr fs:[00000030h] 2_2_010F20A0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F20A0 mov eax, dword ptr fs:[00000030h] 2_2_010F20A0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FF0BF mov ecx, dword ptr fs:[00000030h] 2_2_010FF0BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FF0BF mov eax, dword ptr fs:[00000030h] 2_2_010FF0BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FF0BF mov eax, dword ptr fs:[00000030h] 2_2_010FF0BF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011090AF mov eax, dword ptr fs:[00000030h] 2_2_011090AF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0115B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0115B8D0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0115B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_0115B8D0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0115B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0115B8D0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0115B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0115B8D0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0115B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0115B8D0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0115B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0115B8D0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C58EC mov eax, dword ptr fs:[00000030h] 2_2_010C58EC
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EB8E4 mov eax, dword ptr fs:[00000030h] 2_2_010EB8E4
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EB8E4 mov eax, dword ptr fs:[00000030h] 2_2_010EB8E4
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C40E1 mov eax, dword ptr fs:[00000030h] 2_2_010C40E1
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C40E1 mov eax, dword ptr fs:[00000030h] 2_2_010C40E1
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C40E1 mov eax, dword ptr fs:[00000030h] 2_2_010C40E1
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118131B mov eax, dword ptr fs:[00000030h] 2_2_0118131B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA309 mov eax, dword ptr fs:[00000030h] 2_2_010EA309
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01198B58 mov eax, dword ptr fs:[00000030h] 2_2_01198B58
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CDB40 mov eax, dword ptr fs:[00000030h] 2_2_010CDB40
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CF358 mov eax, dword ptr fs:[00000030h] 2_2_010CF358
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CDB60 mov ecx, dword ptr fs:[00000030h] 2_2_010CDB60
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F3B7A mov eax, dword ptr fs:[00000030h] 2_2_010F3B7A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F3B7A mov eax, dword ptr fs:[00000030h] 2_2_010F3B7A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D1B8F mov eax, dword ptr fs:[00000030h] 2_2_010D1B8F
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D1B8F mov eax, dword ptr fs:[00000030h] 2_2_010D1B8F
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118138A mov eax, dword ptr fs:[00000030h] 2_2_0118138A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0117D380 mov ecx, dword ptr fs:[00000030h] 2_2_0117D380
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F2397 mov eax, dword ptr fs:[00000030h] 2_2_010F2397
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FB390 mov eax, dword ptr fs:[00000030h] 2_2_010FB390
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F4BAD mov eax, dword ptr fs:[00000030h] 2_2_010F4BAD
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F4BAD mov eax, dword ptr fs:[00000030h] 2_2_010F4BAD
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F4BAD mov eax, dword ptr fs:[00000030h] 2_2_010F4BAD
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01195BA5 mov eax, dword ptr fs:[00000030h] 2_2_01195BA5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011453CA mov eax, dword ptr fs:[00000030h] 2_2_011453CA
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011453CA mov eax, dword ptr fs:[00000030h] 2_2_011453CA
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EDBE9 mov eax, dword ptr fs:[00000030h] 2_2_010EDBE9
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F03E2 mov eax, dword ptr fs:[00000030h] 2_2_010F03E2
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F03E2 mov eax, dword ptr fs:[00000030h] 2_2_010F03E2
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F03E2 mov eax, dword ptr fs:[00000030h] 2_2_010F03E2
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F03E2 mov eax, dword ptr fs:[00000030h] 2_2_010F03E2
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F03E2 mov eax, dword ptr fs:[00000030h] 2_2_010F03E2
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F03E2 mov eax, dword ptr fs:[00000030h] 2_2_010F03E2
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011723E3 mov ecx, dword ptr fs:[00000030h] 2_2_011723E3
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011723E3 mov ecx, dword ptr fs:[00000030h] 2_2_011723E3
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011723E3 mov eax, dword ptr fs:[00000030h] 2_2_011723E3
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D8A0A mov eax, dword ptr fs:[00000030h] 2_2_010D8A0A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118AA16 mov eax, dword ptr fs:[00000030h] 2_2_0118AA16
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118AA16 mov eax, dword ptr fs:[00000030h] 2_2_0118AA16
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E3A1C mov eax, dword ptr fs:[00000030h] 2_2_010E3A1C
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CAA16 mov eax, dword ptr fs:[00000030h] 2_2_010CAA16
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CAA16 mov eax, dword ptr fs:[00000030h] 2_2_010CAA16
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C5210 mov eax, dword ptr fs:[00000030h] 2_2_010C5210
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C5210 mov ecx, dword ptr fs:[00000030h] 2_2_010C5210
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C5210 mov eax, dword ptr fs:[00000030h] 2_2_010C5210
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C5210 mov eax, dword ptr fs:[00000030h] 2_2_010C5210
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA229 mov eax, dword ptr fs:[00000030h] 2_2_010EA229
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA229 mov eax, dword ptr fs:[00000030h] 2_2_010EA229
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA229 mov eax, dword ptr fs:[00000030h] 2_2_010EA229
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA229 mov eax, dword ptr fs:[00000030h] 2_2_010EA229
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA229 mov eax, dword ptr fs:[00000030h] 2_2_010EA229
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA229 mov eax, dword ptr fs:[00000030h] 2_2_010EA229
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA229 mov eax, dword ptr fs:[00000030h] 2_2_010EA229
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA229 mov eax, dword ptr fs:[00000030h] 2_2_010EA229
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EA229 mov eax, dword ptr fs:[00000030h] 2_2_010EA229
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01104A2C mov eax, dword ptr fs:[00000030h] 2_2_01104A2C
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01104A2C mov eax, dword ptr fs:[00000030h] 2_2_01104A2C
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01154257 mov eax, dword ptr fs:[00000030h] 2_2_01154257
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C9240 mov eax, dword ptr fs:[00000030h] 2_2_010C9240
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C9240 mov eax, dword ptr fs:[00000030h] 2_2_010C9240
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C9240 mov eax, dword ptr fs:[00000030h] 2_2_010C9240
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C9240 mov eax, dword ptr fs:[00000030h] 2_2_010C9240
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118EA55 mov eax, dword ptr fs:[00000030h] 2_2_0118EA55
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0110927A mov eax, dword ptr fs:[00000030h] 2_2_0110927A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0117B260 mov eax, dword ptr fs:[00000030h] 2_2_0117B260
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0117B260 mov eax, dword ptr fs:[00000030h] 2_2_0117B260
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01198A62 mov eax, dword ptr fs:[00000030h] 2_2_01198A62
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FD294 mov eax, dword ptr fs:[00000030h] 2_2_010FD294
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FD294 mov eax, dword ptr fs:[00000030h] 2_2_010FD294
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C52A5 mov eax, dword ptr fs:[00000030h] 2_2_010C52A5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C52A5 mov eax, dword ptr fs:[00000030h] 2_2_010C52A5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C52A5 mov eax, dword ptr fs:[00000030h] 2_2_010C52A5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C52A5 mov eax, dword ptr fs:[00000030h] 2_2_010C52A5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C52A5 mov eax, dword ptr fs:[00000030h] 2_2_010C52A5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010DAAB0 mov eax, dword ptr fs:[00000030h] 2_2_010DAAB0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010DAAB0 mov eax, dword ptr fs:[00000030h] 2_2_010DAAB0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FFAB0 mov eax, dword ptr fs:[00000030h] 2_2_010FFAB0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F2ACB mov eax, dword ptr fs:[00000030h] 2_2_010F2ACB
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F2AE4 mov eax, dword ptr fs:[00000030h] 2_2_010F2AE4
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184AEF mov eax, dword ptr fs:[00000030h] 2_2_01184AEF
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118E539 mov eax, dword ptr fs:[00000030h] 2_2_0118E539
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0114A537 mov eax, dword ptr fs:[00000030h] 2_2_0114A537
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01198D34 mov eax, dword ptr fs:[00000030h] 2_2_01198D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F4D3B mov eax, dword ptr fs:[00000030h] 2_2_010F4D3B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F4D3B mov eax, dword ptr fs:[00000030h] 2_2_010F4D3B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F4D3B mov eax, dword ptr fs:[00000030h] 2_2_010F4D3B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D3D34 mov eax, dword ptr fs:[00000030h] 2_2_010D3D34
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CAD30 mov eax, dword ptr fs:[00000030h] 2_2_010CAD30
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01103D43 mov eax, dword ptr fs:[00000030h] 2_2_01103D43
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01143540 mov eax, dword ptr fs:[00000030h] 2_2_01143540
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01173D40 mov eax, dword ptr fs:[00000030h] 2_2_01173D40
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E7D50 mov eax, dword ptr fs:[00000030h] 2_2_010E7D50
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EC577 mov eax, dword ptr fs:[00000030h] 2_2_010EC577
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EC577 mov eax, dword ptr fs:[00000030h] 2_2_010EC577
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C2D8A mov eax, dword ptr fs:[00000030h] 2_2_010C2D8A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C2D8A mov eax, dword ptr fs:[00000030h] 2_2_010C2D8A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C2D8A mov eax, dword ptr fs:[00000030h] 2_2_010C2D8A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C2D8A mov eax, dword ptr fs:[00000030h] 2_2_010C2D8A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C2D8A mov eax, dword ptr fs:[00000030h] 2_2_010C2D8A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FFD9B mov eax, dword ptr fs:[00000030h] 2_2_010FFD9B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FFD9B mov eax, dword ptr fs:[00000030h] 2_2_010FFD9B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01182D82 mov eax, dword ptr fs:[00000030h] 2_2_01182D82
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01182D82 mov eax, dword ptr fs:[00000030h] 2_2_01182D82
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01182D82 mov eax, dword ptr fs:[00000030h] 2_2_01182D82
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01182D82 mov eax, dword ptr fs:[00000030h] 2_2_01182D82
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01182D82 mov eax, dword ptr fs:[00000030h] 2_2_01182D82
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01182D82 mov eax, dword ptr fs:[00000030h] 2_2_01182D82
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01182D82 mov eax, dword ptr fs:[00000030h] 2_2_01182D82
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F35A1 mov eax, dword ptr fs:[00000030h] 2_2_010F35A1
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011905AC mov eax, dword ptr fs:[00000030h] 2_2_011905AC
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011905AC mov eax, dword ptr fs:[00000030h] 2_2_011905AC
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F1DB5 mov eax, dword ptr fs:[00000030h] 2_2_010F1DB5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F1DB5 mov eax, dword ptr fs:[00000030h] 2_2_010F1DB5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F1DB5 mov eax, dword ptr fs:[00000030h] 2_2_010F1DB5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146DC9 mov eax, dword ptr fs:[00000030h] 2_2_01146DC9
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146DC9 mov eax, dword ptr fs:[00000030h] 2_2_01146DC9
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146DC9 mov eax, dword ptr fs:[00000030h] 2_2_01146DC9
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146DC9 mov ecx, dword ptr fs:[00000030h] 2_2_01146DC9
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146DC9 mov eax, dword ptr fs:[00000030h] 2_2_01146DC9
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146DC9 mov eax, dword ptr fs:[00000030h] 2_2_01146DC9
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01178DF1 mov eax, dword ptr fs:[00000030h] 2_2_01178DF1
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010DD5E0 mov eax, dword ptr fs:[00000030h] 2_2_010DD5E0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010DD5E0 mov eax, dword ptr fs:[00000030h] 2_2_010DD5E0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118FDE2 mov eax, dword ptr fs:[00000030h] 2_2_0118FDE2
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118FDE2 mov eax, dword ptr fs:[00000030h] 2_2_0118FDE2
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118FDE2 mov eax, dword ptr fs:[00000030h] 2_2_0118FDE2
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118FDE2 mov eax, dword ptr fs:[00000030h] 2_2_0118FDE2
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0119740D mov eax, dword ptr fs:[00000030h] 2_2_0119740D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0119740D mov eax, dword ptr fs:[00000030h] 2_2_0119740D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0119740D mov eax, dword ptr fs:[00000030h] 2_2_0119740D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181C06 mov eax, dword ptr fs:[00000030h] 2_2_01181C06
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146C0A mov eax, dword ptr fs:[00000030h] 2_2_01146C0A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146C0A mov eax, dword ptr fs:[00000030h] 2_2_01146C0A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146C0A mov eax, dword ptr fs:[00000030h] 2_2_01146C0A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146C0A mov eax, dword ptr fs:[00000030h] 2_2_01146C0A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FBC2C mov eax, dword ptr fs:[00000030h] 2_2_010FBC2C
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FA44B mov eax, dword ptr fs:[00000030h] 2_2_010FA44B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0115C450 mov eax, dword ptr fs:[00000030h] 2_2_0115C450
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0115C450 mov eax, dword ptr fs:[00000030h] 2_2_0115C450
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010E746D mov eax, dword ptr fs:[00000030h] 2_2_010E746D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FAC7B mov eax, dword ptr fs:[00000030h] 2_2_010FAC7B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FAC7B mov eax, dword ptr fs:[00000030h] 2_2_010FAC7B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FAC7B mov eax, dword ptr fs:[00000030h] 2_2_010FAC7B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FAC7B mov eax, dword ptr fs:[00000030h] 2_2_010FAC7B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FAC7B mov eax, dword ptr fs:[00000030h] 2_2_010FAC7B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FAC7B mov eax, dword ptr fs:[00000030h] 2_2_010FAC7B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FAC7B mov eax, dword ptr fs:[00000030h] 2_2_010FAC7B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FAC7B mov eax, dword ptr fs:[00000030h] 2_2_010FAC7B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FAC7B mov eax, dword ptr fs:[00000030h] 2_2_010FAC7B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FAC7B mov eax, dword ptr fs:[00000030h] 2_2_010FAC7B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FAC7B mov eax, dword ptr fs:[00000030h] 2_2_010FAC7B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01184496 mov eax, dword ptr fs:[00000030h] 2_2_01184496
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D849B mov eax, dword ptr fs:[00000030h] 2_2_010D849B
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01198CD6 mov eax, dword ptr fs:[00000030h] 2_2_01198CD6
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011814FB mov eax, dword ptr fs:[00000030h] 2_2_011814FB
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146CF0 mov eax, dword ptr fs:[00000030h] 2_2_01146CF0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146CF0 mov eax, dword ptr fs:[00000030h] 2_2_01146CF0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01146CF0 mov eax, dword ptr fs:[00000030h] 2_2_01146CF0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FA70E mov eax, dword ptr fs:[00000030h] 2_2_010FA70E
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FA70E mov eax, dword ptr fs:[00000030h] 2_2_010FA70E
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0115FF10 mov eax, dword ptr fs:[00000030h] 2_2_0115FF10
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0115FF10 mov eax, dword ptr fs:[00000030h] 2_2_0115FF10
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0119070D mov eax, dword ptr fs:[00000030h] 2_2_0119070D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0119070D mov eax, dword ptr fs:[00000030h] 2_2_0119070D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EF716 mov eax, dword ptr fs:[00000030h] 2_2_010EF716
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C4F2E mov eax, dword ptr fs:[00000030h] 2_2_010C4F2E
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010C4F2E mov eax, dword ptr fs:[00000030h] 2_2_010C4F2E
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EB73D mov eax, dword ptr fs:[00000030h] 2_2_010EB73D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EB73D mov eax, dword ptr fs:[00000030h] 2_2_010EB73D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FE730 mov eax, dword ptr fs:[00000030h] 2_2_010FE730
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010DEF40 mov eax, dword ptr fs:[00000030h] 2_2_010DEF40
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010DFF60 mov eax, dword ptr fs:[00000030h] 2_2_010DFF60
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01198F6A mov eax, dword ptr fs:[00000030h] 2_2_01198F6A
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01147794 mov eax, dword ptr fs:[00000030h] 2_2_01147794
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01147794 mov eax, dword ptr fs:[00000030h] 2_2_01147794
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01147794 mov eax, dword ptr fs:[00000030h] 2_2_01147794
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D8794 mov eax, dword ptr fs:[00000030h] 2_2_010D8794
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011037F5 mov eax, dword ptr fs:[00000030h] 2_2_011037F5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CC600 mov eax, dword ptr fs:[00000030h] 2_2_010CC600
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CC600 mov eax, dword ptr fs:[00000030h] 2_2_010CC600
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CC600 mov eax, dword ptr fs:[00000030h] 2_2_010CC600
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F8E00 mov eax, dword ptr fs:[00000030h] 2_2_010F8E00
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01181608 mov eax, dword ptr fs:[00000030h] 2_2_01181608
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FA61C mov eax, dword ptr fs:[00000030h] 2_2_010FA61C
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010FA61C mov eax, dword ptr fs:[00000030h] 2_2_010FA61C
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0117FE3F mov eax, dword ptr fs:[00000030h] 2_2_0117FE3F
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010CE620 mov eax, dword ptr fs:[00000030h] 2_2_010CE620
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D7E41 mov eax, dword ptr fs:[00000030h] 2_2_010D7E41
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D7E41 mov eax, dword ptr fs:[00000030h] 2_2_010D7E41
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D7E41 mov eax, dword ptr fs:[00000030h] 2_2_010D7E41
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D7E41 mov eax, dword ptr fs:[00000030h] 2_2_010D7E41
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D7E41 mov eax, dword ptr fs:[00000030h] 2_2_010D7E41
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D7E41 mov eax, dword ptr fs:[00000030h] 2_2_010D7E41
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118AE44 mov eax, dword ptr fs:[00000030h] 2_2_0118AE44
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0118AE44 mov eax, dword ptr fs:[00000030h] 2_2_0118AE44
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D766D mov eax, dword ptr fs:[00000030h] 2_2_010D766D
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EAE73 mov eax, dword ptr fs:[00000030h] 2_2_010EAE73
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EAE73 mov eax, dword ptr fs:[00000030h] 2_2_010EAE73
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EAE73 mov eax, dword ptr fs:[00000030h] 2_2_010EAE73
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EAE73 mov eax, dword ptr fs:[00000030h] 2_2_010EAE73
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010EAE73 mov eax, dword ptr fs:[00000030h] 2_2_010EAE73
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0115FE87 mov eax, dword ptr fs:[00000030h] 2_2_0115FE87
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_011446A7 mov eax, dword ptr fs:[00000030h] 2_2_011446A7
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01190EA5 mov eax, dword ptr fs:[00000030h] 2_2_01190EA5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01190EA5 mov eax, dword ptr fs:[00000030h] 2_2_01190EA5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01190EA5 mov eax, dword ptr fs:[00000030h] 2_2_01190EA5
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F36CC mov eax, dword ptr fs:[00000030h] 2_2_010F36CC
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01198ED6 mov eax, dword ptr fs:[00000030h] 2_2_01198ED6
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0117FEC0 mov eax, dword ptr fs:[00000030h] 2_2_0117FEC0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_01108EC7 mov eax, dword ptr fs:[00000030h] 2_2_01108EC7
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010F16E0 mov ecx, dword ptr fs:[00000030h] 2_2_010F16E0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_010D76E2 mov eax, dword ptr fs:[00000030h] 2_2_010D76E2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046E746D mov eax, dword ptr fs:[00000030h] 9_2_046E746D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046FA44B mov eax, dword ptr fs:[00000030h] 9_2_046FA44B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0475C450 mov eax, dword ptr fs:[00000030h] 9_2_0475C450
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0475C450 mov eax, dword ptr fs:[00000030h] 9_2_0475C450
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046FBC2C mov eax, dword ptr fs:[00000030h] 9_2_046FBC2C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0479740D mov eax, dword ptr fs:[00000030h] 9_2_0479740D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0479740D mov eax, dword ptr fs:[00000030h] 9_2_0479740D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0479740D mov eax, dword ptr fs:[00000030h] 9_2_0479740D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781C06 mov eax, dword ptr fs:[00000030h] 9_2_04781C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746C0A mov eax, dword ptr fs:[00000030h] 9_2_04746C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746C0A mov eax, dword ptr fs:[00000030h] 9_2_04746C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746C0A mov eax, dword ptr fs:[00000030h] 9_2_04746C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746C0A mov eax, dword ptr fs:[00000030h] 9_2_04746C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047814FB mov eax, dword ptr fs:[00000030h] 9_2_047814FB
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746CF0 mov eax, dword ptr fs:[00000030h] 9_2_04746CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746CF0 mov eax, dword ptr fs:[00000030h] 9_2_04746CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746CF0 mov eax, dword ptr fs:[00000030h] 9_2_04746CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04798CD6 mov eax, dword ptr fs:[00000030h] 9_2_04798CD6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D849B mov eax, dword ptr fs:[00000030h] 9_2_046D849B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046EC577 mov eax, dword ptr fs:[00000030h] 9_2_046EC577
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046EC577 mov eax, dword ptr fs:[00000030h] 9_2_046EC577
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04703D43 mov eax, dword ptr fs:[00000030h] 9_2_04703D43
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04743540 mov eax, dword ptr fs:[00000030h] 9_2_04743540
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046E7D50 mov eax, dword ptr fs:[00000030h] 9_2_046E7D50
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0478E539 mov eax, dword ptr fs:[00000030h] 9_2_0478E539
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0474A537 mov eax, dword ptr fs:[00000030h] 9_2_0474A537
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04798D34 mov eax, dword ptr fs:[00000030h] 9_2_04798D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F4D3B mov eax, dword ptr fs:[00000030h] 9_2_046F4D3B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F4D3B mov eax, dword ptr fs:[00000030h] 9_2_046F4D3B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F4D3B mov eax, dword ptr fs:[00000030h] 9_2_046F4D3B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D3D34 mov eax, dword ptr fs:[00000030h] 9_2_046D3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046CAD30 mov eax, dword ptr fs:[00000030h] 9_2_046CAD30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04778DF1 mov eax, dword ptr fs:[00000030h] 9_2_04778DF1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046DD5E0 mov eax, dword ptr fs:[00000030h] 9_2_046DD5E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046DD5E0 mov eax, dword ptr fs:[00000030h] 9_2_046DD5E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0478FDE2 mov eax, dword ptr fs:[00000030h] 9_2_0478FDE2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0478FDE2 mov eax, dword ptr fs:[00000030h] 9_2_0478FDE2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0478FDE2 mov eax, dword ptr fs:[00000030h] 9_2_0478FDE2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0478FDE2 mov eax, dword ptr fs:[00000030h] 9_2_0478FDE2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746DC9 mov eax, dword ptr fs:[00000030h] 9_2_04746DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746DC9 mov eax, dword ptr fs:[00000030h] 9_2_04746DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746DC9 mov eax, dword ptr fs:[00000030h] 9_2_04746DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746DC9 mov ecx, dword ptr fs:[00000030h] 9_2_04746DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746DC9 mov eax, dword ptr fs:[00000030h] 9_2_04746DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04746DC9 mov eax, dword ptr fs:[00000030h] 9_2_04746DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F35A1 mov eax, dword ptr fs:[00000030h] 9_2_046F35A1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047905AC mov eax, dword ptr fs:[00000030h] 9_2_047905AC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047905AC mov eax, dword ptr fs:[00000030h] 9_2_047905AC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F1DB5 mov eax, dword ptr fs:[00000030h] 9_2_046F1DB5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F1DB5 mov eax, dword ptr fs:[00000030h] 9_2_046F1DB5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F1DB5 mov eax, dword ptr fs:[00000030h] 9_2_046F1DB5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046C2D8A mov eax, dword ptr fs:[00000030h] 9_2_046C2D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046C2D8A mov eax, dword ptr fs:[00000030h] 9_2_046C2D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046C2D8A mov eax, dword ptr fs:[00000030h] 9_2_046C2D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046C2D8A mov eax, dword ptr fs:[00000030h] 9_2_046C2D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046C2D8A mov eax, dword ptr fs:[00000030h] 9_2_046C2D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F2581 mov eax, dword ptr fs:[00000030h] 9_2_046F2581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F2581 mov eax, dword ptr fs:[00000030h] 9_2_046F2581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F2581 mov eax, dword ptr fs:[00000030h] 9_2_046F2581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F2581 mov eax, dword ptr fs:[00000030h] 9_2_046F2581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046FFD9B mov eax, dword ptr fs:[00000030h] 9_2_046FFD9B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046FFD9B mov eax, dword ptr fs:[00000030h] 9_2_046FFD9B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D766D mov eax, dword ptr fs:[00000030h] 9_2_046D766D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046EAE73 mov eax, dword ptr fs:[00000030h] 9_2_046EAE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046EAE73 mov eax, dword ptr fs:[00000030h] 9_2_046EAE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046EAE73 mov eax, dword ptr fs:[00000030h] 9_2_046EAE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046EAE73 mov eax, dword ptr fs:[00000030h] 9_2_046EAE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046EAE73 mov eax, dword ptr fs:[00000030h] 9_2_046EAE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D7E41 mov eax, dword ptr fs:[00000030h] 9_2_046D7E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D7E41 mov eax, dword ptr fs:[00000030h] 9_2_046D7E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D7E41 mov eax, dword ptr fs:[00000030h] 9_2_046D7E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D7E41 mov eax, dword ptr fs:[00000030h] 9_2_046D7E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D7E41 mov eax, dword ptr fs:[00000030h] 9_2_046D7E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D7E41 mov eax, dword ptr fs:[00000030h] 9_2_046D7E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0478AE44 mov eax, dword ptr fs:[00000030h] 9_2_0478AE44
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0478AE44 mov eax, dword ptr fs:[00000030h] 9_2_0478AE44
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0477FE3F mov eax, dword ptr fs:[00000030h] 9_2_0477FE3F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046CE620 mov eax, dword ptr fs:[00000030h] 9_2_046CE620
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046CC600 mov eax, dword ptr fs:[00000030h] 9_2_046CC600
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046CC600 mov eax, dword ptr fs:[00000030h] 9_2_046CC600
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046CC600 mov eax, dword ptr fs:[00000030h] 9_2_046CC600
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F8E00 mov eax, dword ptr fs:[00000030h] 9_2_046F8E00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04781608 mov eax, dword ptr fs:[00000030h] 9_2_04781608
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046FA61C mov eax, dword ptr fs:[00000030h] 9_2_046FA61C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046FA61C mov eax, dword ptr fs:[00000030h] 9_2_046FA61C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F16E0 mov ecx, dword ptr fs:[00000030h] 9_2_046F16E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046D76E2 mov eax, dword ptr fs:[00000030h] 9_2_046D76E2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046F36CC mov eax, dword ptr fs:[00000030h] 9_2_046F36CC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04798ED6 mov eax, dword ptr fs:[00000030h] 9_2_04798ED6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0477FEC0 mov eax, dword ptr fs:[00000030h] 9_2_0477FEC0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04708EC7 mov eax, dword ptr fs:[00000030h] 9_2_04708EC7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_047446A7 mov eax, dword ptr fs:[00000030h] 9_2_047446A7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04790EA5 mov eax, dword ptr fs:[00000030h] 9_2_04790EA5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04790EA5 mov eax, dword ptr fs:[00000030h] 9_2_04790EA5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04790EA5 mov eax, dword ptr fs:[00000030h] 9_2_04790EA5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0475FE87 mov eax, dword ptr fs:[00000030h] 9_2_0475FE87
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046DFF60 mov eax, dword ptr fs:[00000030h] 9_2_046DFF60
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_04798F6A mov eax, dword ptr fs:[00000030h] 9_2_04798F6A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046DEF40 mov eax, dword ptr fs:[00000030h] 9_2_046DEF40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046C4F2E mov eax, dword ptr fs:[00000030h] 9_2_046C4F2E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046C4F2E mov eax, dword ptr fs:[00000030h] 9_2_046C4F2E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046FE730 mov eax, dword ptr fs:[00000030h] 9_2_046FE730
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046FA70E mov eax, dword ptr fs:[00000030h] 9_2_046FA70E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_046FA70E mov eax, dword ptr fs:[00000030h] 9_2_046FA70E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0475FF10 mov eax, dword ptr fs:[00000030h] 9_2_0475FF10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0475FF10 mov eax, dword ptr fs:[00000030h] 9_2_0475FF10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 9_2_0479070D mov eax, dword ptr fs:[00000030h] 9_2_0479070D
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Code function: 2_2_0040ACE0 LdrLoadDll, 2_2_0040ACE0
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: F40000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Memory written: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Thread register set: target process: 980 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Process created: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe" Jump to behavior
Source: explorer.exe, 00000005.00000000.690126195.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.762897989.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.710094418.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.676686097.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.676904433.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710332411.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.690493980.0000000001080000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.714196503.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.676904433.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710332411.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.690493980.0000000001080000.00000002.00020000.sdmp, mstsc.exe, 00000009.00000002.932373199.0000000003290000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.838070687.00000000019A0000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.844348630.00000000055E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.894331795.00000000055E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.891581397.00000000019A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.676904433.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710332411.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.690493980.0000000001080000.00000002.00020000.sdmp, mstsc.exe, 00000009.00000002.932373199.0000000003290000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.838070687.00000000019A0000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.844348630.00000000055E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.890780958.0000000001348000.00000004.00000020.sdmp, explorer.exe, 0000000F.00000000.894331795.00000000055E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.842406756.00000000052F1000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.891581397.00000000019A0000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.893829123.00000000052F1000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.833432064.0000000001348000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000F.00000000.890780958.0000000001348000.00000004.00000020.sdmp, explorer.exe, 0000000F.00000000.833432064.0000000001348000.00000004.00000020.sdmp Binary or memory string: Shell_TrayWndg
Source: explorer.exe, 00000005.00000000.676904433.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710332411.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.690493980.0000000001080000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.838070687.00000000019A0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.702459113.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.717243634.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.684528225.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D
Source: mstsc.exe, 00000009.00000002.932373199.0000000003290000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.838070687.00000000019A0000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.891581397.00000000019A0000.00000002.00020000.sdmp Binary or memory string: Program Manager;

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Queries volume information: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_AWB_NO#907853880911.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.719427940.000000000E898000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.672669530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.676498068.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.930477185.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.677126052.000000000414A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.929049449.0000000000780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.673053998.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.928132789.0000000000150000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.736134377.0000000001060000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.732545477.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.734719303.0000000000C30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.705738120.000000000E898000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.DHL_AWB_NO#907853880911.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DHL_AWB_NO#907853880911.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.719427940.000000000E898000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.672669530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.676498068.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.930477185.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.677126052.000000000414A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.929049449.0000000000780000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.673053998.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.928132789.0000000000150000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.736134377.0000000001060000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.732545477.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.734719303.0000000000C30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.705738120.000000000E898000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532893 Sample: DHL_AWB_NO#907853880911.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 31 www.ibew-neca.com 2->31 33 Multi AV Scanner detection for domain / URL 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 6 other signatures 2->39 11 DHL_AWB_NO#907853880911.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\...\DHL_AWB_NO#907853880911.exe.log, ASCII 11->29 dropped 49 Tries to detect virtualization through RDTSC time measurements 11->49 51 Injects a PE file into a foreign processes 11->51 15 DHL_AWB_NO#907853880911.exe 11->15         started        signatures6 process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Sample uses process hollowing technique 15->57 59 Queues an APC in another process (thread injection) 15->59 18 explorer.exe 15->18 injected process9 process10 20 mstsc.exe 18->20         started        signatures11 41 Self deletion via cmd delete 20->41 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        25 explorer.exe 1 151 20->25         started        process12 process13 27 conhost.exe 23->27         started       
No contacted IP infos

Contacted Domains

Name IP Active
www.ibew-neca.com 66.96.147.103 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.makheads.com/fl9w/ true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: safe
 low