Windows Analysis Report
DHL AWB TRACKING DETAILS.exe

Overview

General Information

Sample Name: DHL AWB TRACKING DETAILS.exe
Analysis ID: 562043
MD5: 4e358b432ba956c13627beee054d68e5
SHA1: 8791318da047e93f2a16cc6535eba5159228f832
SHA256: 836696cddebff5d522acb2c105a404ceeb635df69b3c9544b5bebcef13bc3e86
Tags: DHLexeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000B.00000002.636107094.0000000000D80000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.hdetpnipa.xyz/a34b/"], "decoy": ["mesonarte.com", "eksiwakun9.xyz", "dustcollectionconsultant.com", "heliosarchitecture.com", "chinaanalysisgroup.com", "nimbinhillshemp.com", "ychain.biz", "mountshastaart.com", "monstermangoloco.com", "bodhiandbear.com", "rootednft.xyz", "metayema.com", "zw21.xyz", "criccketworld.com", "segurobarato.net", "ananyacap.com", "momo-momo.xyz", "ezrealestatedeals.com", "ghrde.xyz", "idimol.com", "pcthspoe.xyz", "thewhiteswanharringworth.com", "che8760.com", "85111280.xyz", "apteka-magnolia.com", "proach.online", "portfolioabeckford.com", "affilinvest.com", "subspank.xyz", "odessamadrecoffeehouse.com", "onetrade.biz", "tianfuhg.com", "kibtitalikeniwenti.com", "terriblearttours.com", "saudirelief.com", "metacourting.xyz", "kimera.blue", "mgpsfm.com", "metawzrd.com", "veahhiodl.xyz", "alimasurfhotel.com", "sirensandiego.com", "gd-hxgg.com", "aurorarift.com", "clingbee.com", "zettavisor2021.xyz", "gregoryryankramer.art", "robertsonfandc.com", "sociedadgeograficacafe.com", "emilyhkeefer.com", "v-hush.com", "judithtuttle.xyz", "itbrandlink.com", "carrybicycles.com", "storge-evolution.com", "socnhhpa.xyz", "victorzark.com", "ghettoguy.com", "redtruckguy.com", "jeanmariewallendorf.com", "ocpdtel.xyz", "democracies.online", "bw529twonineh5.world", "chinhdohuyenthoai.xyz"]}
Multi AV Scanner detection for submitted file
Source: DHL AWB TRACKING DETAILS.exe Virustotal: Detection: 43% Perma Link
Source: DHL AWB TRACKING DETAILS.exe ReversingLabs: Detection: 48%
Yara detected FormBook
Source: Yara match File source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.636107094.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.359424691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.635990166.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.360270037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.435840268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.409581872.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.362630153.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436793150.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.394582472.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.634911519.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436005605.00000000009A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.hdetpnipa.xyz/a34b/ Avira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URL
Source: www.hdetpnipa.xyz/a34b/ Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsr8F1B.tmp\vzhghptrhu.dll Virustotal: Detection: 37% Perma Link
Source: C:\Users\user\AppData\Local\Temp\nsr8F1B.tmp\vzhghptrhu.dll ReversingLabs: Detection: 25%
Machine Learning detection for sample
Source: DHL AWB TRACKING DETAILS.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 31.2.explorer.exe.f07f840.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 20.0.explorer.exe.ad0f840.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.2.wlanext.exe.382f840.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.wlanext.exe.deef30.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 20.0.explorer.exe.ad0f840.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 20.0.explorer.exe.ad0f840.0.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance
barindex
Uses 32bit PE files
Source: DHL AWB TRACKING DETAILS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wntdll.pdbUGP source: DHL AWB TRACKING DETAILS.exe, 00000000.00000003.360349373.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000000.00000003.360736432.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000001.00000002.436271704.0000000000AFF000.00000040.00000800.00020000.00000000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000001.00000002.436124386.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 0000000B.00000002.636937480.0000000003300000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 0000000B.00000002.637445370.000000000341F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: DHL AWB TRACKING DETAILS.exe, DHL AWB TRACKING DETAILS.exe, 00000001.00000002.436271704.0000000000AFF000.00000040.00000800.00020000.00000000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000001.00000002.436124386.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 0000000B.00000002.636937480.0000000003300000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 0000000B.00000002.637445370.000000000341F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wlanext.pdb source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.437702980.00000000029F0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wlanext.pdbGCTL source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.437702980.00000000029F0000.00000040.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_00405D7C FindFirstFileA,FindClose, 0_2_00405D7C
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053AA
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630

Software Vulnerabilities
barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 4x nop then pop esi 1_2_004172DE
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 4x nop then pop esi 1_2_004172A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 4x nop then pop esi 11_2_00A172A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 4x nop then pop esi 11_2_00A172DE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.hdetpnipa.xyz/a34b/
Source: explorer.exe, 00000014.00000003.578175539.0000000004EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.543845759.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.550839224.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.555983128.0000000004EEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.553114910.0000000004EEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.566169156.0000000004ED2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000014.00000003.556038613.0000000004F3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.553294057.0000000004F3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.566295637.0000000004F3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.578401411.0000000004F3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: DHL AWB TRACKING DETAILS.exe, DHL AWB TRACKING DETAILS.exe, 00000000.00000002.361550279.0000000000409000.00000004.00000001.01000000.00000003.sdmp, DHL AWB TRACKING DETAILS.exe, 00000000.00000000.352121005.0000000000409000.00000008.00000001.01000000.00000003.sdmp, DHL AWB TRACKING DETAILS.exe, 00000001.00000000.355752258.0000000000409000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: DHL AWB TRACKING DETAILS.exe, 00000000.00000002.361550279.0000000000409000.00000004.00000001.01000000.00000003.sdmp, DHL AWB TRACKING DETAILS.exe, 00000000.00000000.352121005.0000000000409000.00000008.00000001.01000000.00000003.sdmp, DHL AWB TRACKING DETAILS.exe, 00000001.00000000.355752258.0000000000409000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000000.379142678.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.366064196.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.398584347.000000000095C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: unknown DNS traffic detected: queries for: www.chinaanalysisgroup.com

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404F61

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.636107094.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.359424691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.635990166.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.360270037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.435840268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.409581872.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.362630153.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436793150.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.394582472.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.634911519.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436005605.00000000009A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.636107094.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.636107094.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.359424691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.359424691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.635990166.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.635990166.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.360270037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.360270037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.435840268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.435840268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.409581872.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.409581872.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.362630153.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.362630153.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.436793150.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.436793150.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.394582472.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.394582472.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.634911519.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.634911519.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.436005605.00000000009A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.436005605.00000000009A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: DHL AWB TRACKING DETAILS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.636107094.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.636107094.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.359424691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.359424691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.635990166.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.635990166.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.360270037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.360270037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.435840268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.435840268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.409581872.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.409581872.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.362630153.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.362630153.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.436793150.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.436793150.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.394582472.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.394582472.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.634911519.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.634911519.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.436005605.00000000009A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.436005605.00000000009A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_00403225
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_0040604C 0_2_0040604C
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_00404772 0_2_00404772
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_023809FB 0_2_023809FB
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041E072 1_2_0041E072
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041E819 1_2_0041E819
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041D9E6 1_2_0041D9E6
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041EB61 1_2_0041EB61
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041DB8A 1_2_0041DB8A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00402D87 1_2_00402D87
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041D5A3 1_2_0041D5A3
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041D5A6 1_2_0041D5A6
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041E5BD 1_2_0041E5BD
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00409E5C 1_2_00409E5C
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00409E60 1_2_00409E60
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A320A0 1_2_00A320A0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD20A8 1_2_00AD20A8
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1B090 1_2_00A1B090
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD28EC 1_2_00AD28EC
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ADE824 1_2_00ADE824
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1002 1_2_00AC1002
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A24120 1_2_00A24120
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0F900 1_2_00A0F900
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD22AE 1_2_00AD22AE
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3EBB0 1_2_00A3EBB0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACDBD2 1_2_00ACDBD2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD2B28 1_2_00AD2B28
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1841F 1_2_00A1841F
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACD466 1_2_00ACD466
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A32581 1_2_00A32581
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1D5E0 1_2_00A1D5E0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD25DD 1_2_00AD25DD
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A00D20 1_2_00A00D20
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD2D07 1_2_00AD2D07
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD1D55 1_2_00AD1D55
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD2EF7 1_2_00AD2EF7
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A26E30 1_2_00A26E30
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACD616 1_2_00ACD616
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD1FF1 1_2_00AD1FF1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F2B28 11_2_033F2B28
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335EBB0 11_2_0335EBB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F1FF1 11_2_033F1FF1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033EDBD2 11_2_033EDBD2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03346E30 11_2_03346E30
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F22AE 11_2_033F22AE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F2EF7 11_2_033F2EF7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03320D20 11_2_03320D20
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03344120 11_2_03344120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332F900 11_2_0332F900
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F2D07 11_2_033F2D07
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F1D55 11_2_033F1D55
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03352581 11_2_03352581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333D5E0 11_2_0333D5E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F25DD 11_2_033F25DD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333841F 11_2_0333841F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1002 11_2_033E1002
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033520A0 11_2_033520A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F20A8 11_2_033F20A8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333B090 11_2_0333B090
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1E819 11_2_00A1E819
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1E072 11_2_00A1E072
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1D9E6 11_2_00A1D9E6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1EB61 11_2_00A1EB61
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1D5A3 11_2_00A1D5A3
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1D5A6 11_2_00A1D5A6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1E5BD 11_2_00A1E5BD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A02D87 11_2_00A02D87
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A02D90 11_2_00A02D90
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A09E60 11_2_00A09E60
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A09E5C 11_2_00A09E5C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A02FB0 11_2_00A02FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\wlanext.exe Code function: String function: 0332B150 appears 35 times
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: String function: 00A0B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041A360 NtCreateFile, 1_2_0041A360
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041A410 NtReadFile, 1_2_0041A410
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041A490 NtClose, 1_2_0041A490
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041A540 NtAllocateVirtualMemory, 1_2_0041A540
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041A35B NtCreateFile, 1_2_0041A35B
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041A40A NtReadFile, 1_2_0041A40A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041A53A NtAllocateVirtualMemory, 1_2_0041A53A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A498F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00A498F0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00A49860
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49840 NtDelayExecution,LdrInitializeThunk, 1_2_00A49840
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A499A0 NtCreateSection,LdrInitializeThunk, 1_2_00A499A0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00A49910
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49A20 NtResumeThread,LdrInitializeThunk, 1_2_00A49A20
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00A49A00
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49A50 NtCreateFile,LdrInitializeThunk, 1_2_00A49A50
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A495D0 NtClose,LdrInitializeThunk, 1_2_00A495D0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49540 NtReadFile,LdrInitializeThunk, 1_2_00A49540
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A496E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00A496E0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00A49660
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A497A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00A497A0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00A49780
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00A49710
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A498A0 NtWriteVirtualMemory, 1_2_00A498A0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49820 NtEnumerateKey, 1_2_00A49820
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A4B040 NtSuspendThread, 1_2_00A4B040
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A499D0 NtCreateProcessEx, 1_2_00A499D0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49950 NtQueueApcThread, 1_2_00A49950
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49A80 NtOpenDirectoryObject, 1_2_00A49A80
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49A10 NtQuerySection, 1_2_00A49A10
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A4A3B0 NtGetContextThread, 1_2_00A4A3B0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49B00 NtSetValueKey, 1_2_00A49B00
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A495F0 NtQueryInformationFile, 1_2_00A495F0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49520 NtWaitForSingleObject, 1_2_00A49520
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A4AD30 NtSetContextThread, 1_2_00A4AD30
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49560 NtWriteFile, 1_2_00A49560
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A496D0 NtCreateKey, 1_2_00A496D0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49610 NtEnumerateValueKey, 1_2_00A49610
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49670 NtQueryInformationProcess, 1_2_00A49670
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49650 NtQueryValueKey, 1_2_00A49650
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49FE0 NtCreateMutant, 1_2_00A49FE0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49730 NtQueryVirtualMemory, 1_2_00A49730
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A4A710 NtOpenProcessToken, 1_2_00A4A710
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49760 NtOpenProcess, 1_2_00A49760
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A49770 NtSetInformationFile, 1_2_00A49770
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A4A770 NtOpenThread, 1_2_00A4A770
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369710 NtQueryInformationToken,LdrInitializeThunk, 11_2_03369710
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369780 NtMapViewOfSection,LdrInitializeThunk, 11_2_03369780
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369FE0 NtCreateMutant,LdrInitializeThunk, 11_2_03369FE0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369660 NtAllocateVirtualMemory,LdrInitializeThunk, 11_2_03369660
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369650 NtQueryValueKey,LdrInitializeThunk, 11_2_03369650
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369A50 NtCreateFile,LdrInitializeThunk, 11_2_03369A50
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033696E0 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_033696E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033696D0 NtCreateKey,LdrInitializeThunk, 11_2_033696D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369910 NtAdjustPrivilegesToken,LdrInitializeThunk, 11_2_03369910
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369540 NtReadFile,LdrInitializeThunk, 11_2_03369540
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033699A0 NtCreateSection,LdrInitializeThunk, 11_2_033699A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033695D0 NtClose,LdrInitializeThunk, 11_2_033695D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369860 NtQuerySystemInformation,LdrInitializeThunk, 11_2_03369860
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369840 NtDelayExecution,LdrInitializeThunk, 11_2_03369840
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369730 NtQueryVirtualMemory, 11_2_03369730
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0336A710 NtOpenProcessToken, 11_2_0336A710
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369B00 NtSetValueKey, 11_2_03369B00
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369770 NtSetInformationFile, 11_2_03369770
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0336A770 NtOpenThread, 11_2_0336A770
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369760 NtOpenProcess, 11_2_03369760
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0336A3B0 NtGetContextThread, 11_2_0336A3B0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033697A0 NtUnmapViewOfSection, 11_2_033697A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369A20 NtResumeThread, 11_2_03369A20
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369610 NtEnumerateValueKey, 11_2_03369610
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369A10 NtQuerySection, 11_2_03369A10
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369A00 NtProtectVirtualMemory, 11_2_03369A00
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369670 NtQueryInformationProcess, 11_2_03369670
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369A80 NtOpenDirectoryObject, 11_2_03369A80
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0336AD30 NtSetContextThread, 11_2_0336AD30
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369520 NtWaitForSingleObject, 11_2_03369520
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369560 NtWriteFile, 11_2_03369560
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369950 NtQueueApcThread, 11_2_03369950
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033695F0 NtQueryInformationFile, 11_2_033695F0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033699D0 NtCreateProcessEx, 11_2_033699D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03369820 NtEnumerateKey, 11_2_03369820
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0336B040 NtSuspendThread, 11_2_0336B040
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033698A0 NtWriteVirtualMemory, 11_2_033698A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033698F0 NtReadVirtualMemory, 11_2_033698F0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1A360 NtCreateFile, 11_2_00A1A360
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1A490 NtClose, 11_2_00A1A490
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1A410 NtReadFile, 11_2_00A1A410
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1A540 NtAllocateVirtualMemory, 11_2_00A1A540
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1A35B NtCreateFile, 11_2_00A1A35B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1A40A NtReadFile, 11_2_00A1A40A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1A53A NtAllocateVirtualMemory, 11_2_00A1A53A
Sample file is different than original file name gathered from version info
Source: DHL AWB TRACKING DETAILS.exe, 00000000.00000003.360581864.0000000003066000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000000.00000003.359981345.00000000031FF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.436567042.0000000000C8F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.437751802.0000000002A02000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamewlanext.exej% vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.436271704.0000000000AFF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe Virustotal: Detection: 43%
Source: DHL AWB TRACKING DETAILS.exe ReversingLabs: Detection: 48%
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe File read: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Jump to behavior
Source: DHL AWB TRACKING DETAILS.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe "C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe"
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe "C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: unknown Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe "C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe" Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe File created: C:\Users\user\AppData\Local\Temp\nsr8F19.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/4@1/0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar, 0_2_00402012
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404275
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_01
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: wntdll.pdbUGP source: DHL AWB TRACKING DETAILS.exe, 00000000.00000003.360349373.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000000.00000003.360736432.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000001.00000002.436271704.0000000000AFF000.00000040.00000800.00020000.00000000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000001.00000002.436124386.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 0000000B.00000002.636937480.0000000003300000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 0000000B.00000002.637445370.000000000341F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: DHL AWB TRACKING DETAILS.exe, DHL AWB TRACKING DETAILS.exe, 00000001.00000002.436271704.0000000000AFF000.00000040.00000800.00020000.00000000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000001.00000002.436124386.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 0000000B.00000002.636937480.0000000003300000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 0000000B.00000002.637445370.000000000341F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wlanext.pdb source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.437702980.00000000029F0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wlanext.pdbGCTL source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.437702980.00000000029F0000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00417853 push edx; retf 1_2_004178A1
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00416978 push cs; retf 1_2_0041698A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041D4B5 push eax; ret 1_2_0041D508
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041D56C push eax; ret 1_2_0041D572
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041D502 push eax; ret 1_2_0041D508
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0041D50B push eax; ret 1_2_0041D572
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A5D0D1 push ecx; ret 1_2_00A5D0E4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0337D0D1 push ecx; ret 11_2_0337D0E4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A17853 push edx; retf 11_2_00A178A1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A16978 push cs; retf 11_2_00A1698A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1D4B5 push eax; ret 11_2_00A1D508
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1D502 push eax; ret 11_2_00A1D508
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1D50B push eax; ret 11_2_00A1D572
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_00A1D56C push eax; ret 11_2_00A1D572
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DA3

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe File created: C:\Users\user\AppData\Local\Temp\nsr8F1B.tmp\vzhghptrhu.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\wlanext.exe Process created: /c del "C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe"
Source: C:\Windows\SysWOW64\wlanext.exe Process created: /c del "C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe" Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe RDTSC instruction interceptor: First address: 0000000000A09904 second address: 0000000000A0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe RDTSC instruction interceptor: First address: 0000000000A09B7E second address: 0000000000A09B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00409AB0 rdtsc 1_2_00409AB0
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe API coverage: 8.7 %
Source: C:\Windows\SysWOW64\wlanext.exe API coverage: 9.7 %
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_00405D7C FindFirstFileA,FindClose, 0_2_00405D7C
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053AA
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000014.00000000.563664219.0000000004560000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.391671803.00000000083EB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000014.00000000.537602479.00000000052A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Z
Source: explorer.exe, 00000014.00000003.550839224.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}'
Source: explorer.exe, 00000014.00000003.577172496.000000000F39D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.553294057.0000000004F3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x
Source: explorer.exe, 00000014.00000003.551706537.0000000004F83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j
Source: explorer.exe, 00000004.00000000.401670731.00000000062E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.553476304.0000000004F93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&
Source: explorer.exe, 00000014.00000003.577172496.000000000F39D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000014.00000000.566169156.0000000004ED2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000014.00000003.577172496.000000000F39D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FE2Xc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000004.00000000.401670731.00000000062E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
Source: explorer.exe, 00000014.00000003.577172496.000000000F39D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#5&Ms
Source: explorer.exe, 00000014.00000003.578401411.0000000004F3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}
Source: explorer.exe, 00000014.00000003.578401411.0000000004F3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000014.00000000.566169156.0000000004ED2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA
Source: explorer.exe, 00000014.00000003.538230272.0000000004D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000@v
Source: explorer.exe, 00000014.00000003.577172496.000000000F39D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}bq
Source: explorer.exe, 00000004.00000000.400458604.000000000461E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.595705023.0000000005005000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000014.00000003.553476304.0000000004F93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000000.537602479.00000000052A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000~
Source: explorer.exe, 00000014.00000003.578870629.0000000004F84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000014.00000003.571574240.000000000F4E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.372241858.00000000082E2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&+
Source: explorer.exe, 00000014.00000003.577172496.000000000F39D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA}
Source: explorer.exe, 00000014.00000003.552559008.0000000004FCF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}M
Source: explorer.exe, 00000014.00000003.553476304.0000000004F93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}A
Source: explorer.exe, 00000014.00000003.544779988.0000000004F18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 00000014.00000003.558001527.000000000F43B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}tentDeliveryManager_cw5n1h2txyewy
Source: explorer.exe, 00000014.00000003.558001527.000000000F43B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local<
Source: explorer.exe, 00000014.00000003.551487673.0000000004F94000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.551200673.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
Source: explorer.exe, 00000004.00000000.372241858.00000000082E2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000014.00000003.571183562.000000000507F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BKX~
Source: explorer.exe, 00000014.00000003.551200673.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00s
Source: explorer.exe, 00000014.00000003.553294057.0000000004F3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
Source: explorer.exe, 00000014.00000003.595515909.000000000F4E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.558334108.000000000508E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c9
Source: explorer.exe, 00000014.00000000.607327645.0000000004E34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.391707126.0000000008430000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000004.00000000.398584347.000000000095C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DA3
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00409AB0 rdtsc 1_2_00409AB0
Enables debug privileges
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_02380402 mov eax, dword ptr fs:[00000030h] 0_2_02380402
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_02380616 mov eax, dword ptr fs:[00000030h] 0_2_02380616
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_02380706 mov eax, dword ptr fs:[00000030h] 0_2_02380706
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_02380744 mov eax, dword ptr fs:[00000030h] 0_2_02380744
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_023806C7 mov eax, dword ptr fs:[00000030h] 0_2_023806C7
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h] 1_2_00A320A0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h] 1_2_00A320A0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h] 1_2_00A320A0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h] 1_2_00A320A0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h] 1_2_00A320A0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h] 1_2_00A320A0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A490AF mov eax, dword ptr fs:[00000030h] 1_2_00A490AF
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3F0BF mov ecx, dword ptr fs:[00000030h] 1_2_00A3F0BF
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A3F0BF
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A3F0BF
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A09080 mov eax, dword ptr fs:[00000030h] 1_2_00A09080
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A83884 mov eax, dword ptr fs:[00000030h] 1_2_00A83884
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A83884 mov eax, dword ptr fs:[00000030h] 1_2_00A83884
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A058EC mov eax, dword ptr fs:[00000030h] 1_2_00A058EC
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A9B8D0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A9B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00A9B8D0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A9B8D0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A9B8D0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A9B8D0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A9B8D0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h] 1_2_00A1B02A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h] 1_2_00A1B02A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h] 1_2_00A1B02A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h] 1_2_00A1B02A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h] 1_2_00A3002D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h] 1_2_00A3002D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h] 1_2_00A3002D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h] 1_2_00A3002D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h] 1_2_00A3002D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD4015 mov eax, dword ptr fs:[00000030h] 1_2_00AD4015
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD4015 mov eax, dword ptr fs:[00000030h] 1_2_00AD4015
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A87016 mov eax, dword ptr fs:[00000030h] 1_2_00A87016
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A87016 mov eax, dword ptr fs:[00000030h] 1_2_00A87016
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A87016 mov eax, dword ptr fs:[00000030h] 1_2_00A87016
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD1074 mov eax, dword ptr fs:[00000030h] 1_2_00AD1074
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC2073 mov eax, dword ptr fs:[00000030h] 1_2_00AC2073
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A20050 mov eax, dword ptr fs:[00000030h] 1_2_00A20050
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A20050 mov eax, dword ptr fs:[00000030h] 1_2_00A20050
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A361A0 mov eax, dword ptr fs:[00000030h] 1_2_00A361A0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A361A0 mov eax, dword ptr fs:[00000030h] 1_2_00A361A0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A869A6 mov eax, dword ptr fs:[00000030h] 1_2_00A869A6
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h] 1_2_00A851BE
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h] 1_2_00A851BE
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h] 1_2_00A851BE
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h] 1_2_00A851BE
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2C182 mov eax, dword ptr fs:[00000030h] 1_2_00A2C182
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3A185 mov eax, dword ptr fs:[00000030h] 1_2_00A3A185
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A32990 mov eax, dword ptr fs:[00000030h] 1_2_00A32990
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A0B1E1
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A0B1E1
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A0B1E1
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A941E8 mov eax, dword ptr fs:[00000030h] 1_2_00A941E8
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h] 1_2_00A24120
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h] 1_2_00A24120
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h] 1_2_00A24120
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h] 1_2_00A24120
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A24120 mov ecx, dword ptr fs:[00000030h] 1_2_00A24120
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3513A mov eax, dword ptr fs:[00000030h] 1_2_00A3513A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3513A mov eax, dword ptr fs:[00000030h] 1_2_00A3513A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A09100 mov eax, dword ptr fs:[00000030h] 1_2_00A09100
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A09100 mov eax, dword ptr fs:[00000030h] 1_2_00A09100
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A09100 mov eax, dword ptr fs:[00000030h] 1_2_00A09100
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0C962 mov eax, dword ptr fs:[00000030h] 1_2_00A0C962
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0B171 mov eax, dword ptr fs:[00000030h] 1_2_00A0B171
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0B171 mov eax, dword ptr fs:[00000030h] 1_2_00A0B171
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2B944 mov eax, dword ptr fs:[00000030h] 1_2_00A2B944
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2B944 mov eax, dword ptr fs:[00000030h] 1_2_00A2B944
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h] 1_2_00A052A5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h] 1_2_00A052A5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h] 1_2_00A052A5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h] 1_2_00A052A5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h] 1_2_00A052A5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A1AAB0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A1AAB0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3FAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A3FAB0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3D294 mov eax, dword ptr fs:[00000030h] 1_2_00A3D294
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3D294 mov eax, dword ptr fs:[00000030h] 1_2_00A3D294
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A32AE4 mov eax, dword ptr fs:[00000030h] 1_2_00A32AE4
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A32ACB mov eax, dword ptr fs:[00000030h] 1_2_00A32ACB
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A44A2C mov eax, dword ptr fs:[00000030h] 1_2_00A44A2C
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A44A2C mov eax, dword ptr fs:[00000030h] 1_2_00A44A2C
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A18A0A mov eax, dword ptr fs:[00000030h] 1_2_00A18A0A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A05210 mov eax, dword ptr fs:[00000030h] 1_2_00A05210
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A05210 mov ecx, dword ptr fs:[00000030h] 1_2_00A05210
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A05210 mov eax, dword ptr fs:[00000030h] 1_2_00A05210
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A05210 mov eax, dword ptr fs:[00000030h] 1_2_00A05210
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A0AA16
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A0AA16
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h] 1_2_00ACAA16
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h] 1_2_00ACAA16
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A23A1C mov eax, dword ptr fs:[00000030h] 1_2_00A23A1C
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ABB260 mov eax, dword ptr fs:[00000030h] 1_2_00ABB260
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ABB260 mov eax, dword ptr fs:[00000030h] 1_2_00ABB260
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD8A62 mov eax, dword ptr fs:[00000030h] 1_2_00AD8A62
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A4927A mov eax, dword ptr fs:[00000030h] 1_2_00A4927A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h] 1_2_00A09240
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h] 1_2_00A09240
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h] 1_2_00A09240
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h] 1_2_00A09240
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACEA55 mov eax, dword ptr fs:[00000030h] 1_2_00ACEA55
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A94257 mov eax, dword ptr fs:[00000030h] 1_2_00A94257
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD5BA5 mov eax, dword ptr fs:[00000030h] 1_2_00AD5BA5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A34BAD mov eax, dword ptr fs:[00000030h] 1_2_00A34BAD
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A34BAD mov eax, dword ptr fs:[00000030h] 1_2_00A34BAD
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A34BAD mov eax, dword ptr fs:[00000030h] 1_2_00A34BAD
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC138A mov eax, dword ptr fs:[00000030h] 1_2_00AC138A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ABD380 mov ecx, dword ptr fs:[00000030h] 1_2_00ABD380
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A11B8F mov eax, dword ptr fs:[00000030h] 1_2_00A11B8F
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A11B8F mov eax, dword ptr fs:[00000030h] 1_2_00A11B8F
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3B390 mov eax, dword ptr fs:[00000030h] 1_2_00A3B390
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A32397 mov eax, dword ptr fs:[00000030h] 1_2_00A32397
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h] 1_2_00A303E2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h] 1_2_00A303E2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h] 1_2_00A303E2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h] 1_2_00A303E2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h] 1_2_00A303E2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h] 1_2_00A303E2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2DBE9 mov eax, dword ptr fs:[00000030h] 1_2_00A2DBE9
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A853CA mov eax, dword ptr fs:[00000030h] 1_2_00A853CA
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A853CA mov eax, dword ptr fs:[00000030h] 1_2_00A853CA
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC131B mov eax, dword ptr fs:[00000030h] 1_2_00AC131B
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0DB60 mov ecx, dword ptr fs:[00000030h] 1_2_00A0DB60
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A33B7A mov eax, dword ptr fs:[00000030h] 1_2_00A33B7A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A33B7A mov eax, dword ptr fs:[00000030h] 1_2_00A33B7A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0DB40 mov eax, dword ptr fs:[00000030h] 1_2_00A0DB40
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD8B58 mov eax, dword ptr fs:[00000030h] 1_2_00AD8B58
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0F358 mov eax, dword ptr fs:[00000030h] 1_2_00A0F358
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1849B mov eax, dword ptr fs:[00000030h] 1_2_00A1849B
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC14FB mov eax, dword ptr fs:[00000030h] 1_2_00AC14FB
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A86CF0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A86CF0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A86CF0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD8CD6 mov eax, dword ptr fs:[00000030h] 1_2_00AD8CD6
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3BC2C mov eax, dword ptr fs:[00000030h] 1_2_00A3BC2C
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD740D mov eax, dword ptr fs:[00000030h] 1_2_00AD740D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD740D mov eax, dword ptr fs:[00000030h] 1_2_00AD740D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD740D mov eax, dword ptr fs:[00000030h] 1_2_00AD740D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h] 1_2_00A86C0A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h] 1_2_00A86C0A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h] 1_2_00A86C0A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h] 1_2_00A86C0A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2746D mov eax, dword ptr fs:[00000030h] 1_2_00A2746D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3A44B mov eax, dword ptr fs:[00000030h] 1_2_00A3A44B
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A9C450 mov eax, dword ptr fs:[00000030h] 1_2_00A9C450
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A9C450 mov eax, dword ptr fs:[00000030h] 1_2_00A9C450
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD05AC mov eax, dword ptr fs:[00000030h] 1_2_00AD05AC
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD05AC mov eax, dword ptr fs:[00000030h] 1_2_00AD05AC
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A335A1 mov eax, dword ptr fs:[00000030h] 1_2_00A335A1
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A31DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A31DB5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A31DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A31DB5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A31DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A31DB5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h] 1_2_00A32581
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h] 1_2_00A32581
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h] 1_2_00A32581
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h] 1_2_00A32581
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h] 1_2_00A02D8A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h] 1_2_00A02D8A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h] 1_2_00A02D8A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h] 1_2_00A02D8A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h] 1_2_00A02D8A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3FD9B mov eax, dword ptr fs:[00000030h] 1_2_00A3FD9B
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3FD9B mov eax, dword ptr fs:[00000030h] 1_2_00A3FD9B
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00A1D5E0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00A1D5E0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00ACFDE2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00ACFDE2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00ACFDE2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00ACFDE2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AB8DF1 mov eax, dword ptr fs:[00000030h] 1_2_00AB8DF1
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A86DC9
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A86DC9
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A86DC9
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00A86DC9
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A86DC9
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A86DC9
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0AD30 mov eax, dword ptr fs:[00000030h] 1_2_00A0AD30
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACE539 mov eax, dword ptr fs:[00000030h] 1_2_00ACE539
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A34D3B mov eax, dword ptr fs:[00000030h] 1_2_00A34D3B
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A34D3B mov eax, dword ptr fs:[00000030h] 1_2_00A34D3B
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A34D3B mov eax, dword ptr fs:[00000030h] 1_2_00A34D3B
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD8D34 mov eax, dword ptr fs:[00000030h] 1_2_00AD8D34
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A8A537 mov eax, dword ptr fs:[00000030h] 1_2_00A8A537
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2C577 mov eax, dword ptr fs:[00000030h] 1_2_00A2C577
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2C577 mov eax, dword ptr fs:[00000030h] 1_2_00A2C577
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A43D43 mov eax, dword ptr fs:[00000030h] 1_2_00A43D43
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A83540 mov eax, dword ptr fs:[00000030h] 1_2_00A83540
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A27D50 mov eax, dword ptr fs:[00000030h] 1_2_00A27D50
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AD0EA5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AD0EA5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AD0EA5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A846A7 mov eax, dword ptr fs:[00000030h] 1_2_00A846A7
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A9FE87 mov eax, dword ptr fs:[00000030h] 1_2_00A9FE87
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A316E0 mov ecx, dword ptr fs:[00000030h] 1_2_00A316E0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A176E2 mov eax, dword ptr fs:[00000030h] 1_2_00A176E2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A48EC7 mov eax, dword ptr fs:[00000030h] 1_2_00A48EC7
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ABFEC0 mov eax, dword ptr fs:[00000030h] 1_2_00ABFEC0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A336CC mov eax, dword ptr fs:[00000030h] 1_2_00A336CC
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD8ED6 mov eax, dword ptr fs:[00000030h] 1_2_00AD8ED6
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0E620 mov eax, dword ptr fs:[00000030h] 1_2_00A0E620
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ABFE3F mov eax, dword ptr fs:[00000030h] 1_2_00ABFE3F
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0C600 mov eax, dword ptr fs:[00000030h] 1_2_00A0C600
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0C600 mov eax, dword ptr fs:[00000030h] 1_2_00A0C600
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A0C600 mov eax, dword ptr fs:[00000030h] 1_2_00A0C600
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A38E00 mov eax, dword ptr fs:[00000030h] 1_2_00A38E00
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AC1608 mov eax, dword ptr fs:[00000030h] 1_2_00AC1608
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3A61C mov eax, dword ptr fs:[00000030h] 1_2_00A3A61C
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3A61C mov eax, dword ptr fs:[00000030h] 1_2_00A3A61C
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1766D mov eax, dword ptr fs:[00000030h] 1_2_00A1766D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A2AE73
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A2AE73
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A2AE73
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A2AE73
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A2AE73
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h] 1_2_00A17E41
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h] 1_2_00A17E41
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h] 1_2_00A17E41
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h] 1_2_00A17E41
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h] 1_2_00A17E41
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h] 1_2_00A17E41
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACAE44 mov eax, dword ptr fs:[00000030h] 1_2_00ACAE44
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00ACAE44 mov eax, dword ptr fs:[00000030h] 1_2_00ACAE44
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A18794 mov eax, dword ptr fs:[00000030h] 1_2_00A18794
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A87794 mov eax, dword ptr fs:[00000030h] 1_2_00A87794
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A87794 mov eax, dword ptr fs:[00000030h] 1_2_00A87794
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A87794 mov eax, dword ptr fs:[00000030h] 1_2_00A87794
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A437F5 mov eax, dword ptr fs:[00000030h] 1_2_00A437F5
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A04F2E mov eax, dword ptr fs:[00000030h] 1_2_00A04F2E
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A04F2E mov eax, dword ptr fs:[00000030h] 1_2_00A04F2E
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3E730 mov eax, dword ptr fs:[00000030h] 1_2_00A3E730
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD070D mov eax, dword ptr fs:[00000030h] 1_2_00AD070D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD070D mov eax, dword ptr fs:[00000030h] 1_2_00AD070D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3A70E mov eax, dword ptr fs:[00000030h] 1_2_00A3A70E
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A3A70E mov eax, dword ptr fs:[00000030h] 1_2_00A3A70E
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A2F716 mov eax, dword ptr fs:[00000030h] 1_2_00A2F716
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A9FF10 mov eax, dword ptr fs:[00000030h] 1_2_00A9FF10
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A9FF10 mov eax, dword ptr fs:[00000030h] 1_2_00A9FF10
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1FF60 mov eax, dword ptr fs:[00000030h] 1_2_00A1FF60
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00AD8F6A mov eax, dword ptr fs:[00000030h] 1_2_00AD8F6A
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_00A1EF40 mov eax, dword ptr fs:[00000030h] 1_2_00A1EF40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335E730 mov eax, dword ptr fs:[00000030h] 11_2_0335E730
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03324F2E mov eax, dword ptr fs:[00000030h] 11_2_03324F2E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03324F2E mov eax, dword ptr fs:[00000030h] 11_2_03324F2E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0334F716 mov eax, dword ptr fs:[00000030h] 11_2_0334F716
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E131B mov eax, dword ptr fs:[00000030h] 11_2_033E131B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033BFF10 mov eax, dword ptr fs:[00000030h] 11_2_033BFF10
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033BFF10 mov eax, dword ptr fs:[00000030h] 11_2_033BFF10
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F070D mov eax, dword ptr fs:[00000030h] 11_2_033F070D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F070D mov eax, dword ptr fs:[00000030h] 11_2_033F070D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335A70E mov eax, dword ptr fs:[00000030h] 11_2_0335A70E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335A70E mov eax, dword ptr fs:[00000030h] 11_2_0335A70E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03353B7A mov eax, dword ptr fs:[00000030h] 11_2_03353B7A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03353B7A mov eax, dword ptr fs:[00000030h] 11_2_03353B7A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332DB60 mov ecx, dword ptr fs:[00000030h] 11_2_0332DB60
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333FF60 mov eax, dword ptr fs:[00000030h] 11_2_0333FF60
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F8F6A mov eax, dword ptr fs:[00000030h] 11_2_033F8F6A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F8B58 mov eax, dword ptr fs:[00000030h] 11_2_033F8B58
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332F358 mov eax, dword ptr fs:[00000030h] 11_2_0332F358
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332DB40 mov eax, dword ptr fs:[00000030h] 11_2_0332DB40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333EF40 mov eax, dword ptr fs:[00000030h] 11_2_0333EF40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03354BAD mov eax, dword ptr fs:[00000030h] 11_2_03354BAD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03354BAD mov eax, dword ptr fs:[00000030h] 11_2_03354BAD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03354BAD mov eax, dword ptr fs:[00000030h] 11_2_03354BAD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F5BA5 mov eax, dword ptr fs:[00000030h] 11_2_033F5BA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03352397 mov eax, dword ptr fs:[00000030h] 11_2_03352397
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335B390 mov eax, dword ptr fs:[00000030h] 11_2_0335B390
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03338794 mov eax, dword ptr fs:[00000030h] 11_2_03338794
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A7794 mov eax, dword ptr fs:[00000030h] 11_2_033A7794
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A7794 mov eax, dword ptr fs:[00000030h] 11_2_033A7794
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A7794 mov eax, dword ptr fs:[00000030h] 11_2_033A7794
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E138A mov eax, dword ptr fs:[00000030h] 11_2_033E138A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03331B8F mov eax, dword ptr fs:[00000030h] 11_2_03331B8F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03331B8F mov eax, dword ptr fs:[00000030h] 11_2_03331B8F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033DD380 mov ecx, dword ptr fs:[00000030h] 11_2_033DD380
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033637F5 mov eax, dword ptr fs:[00000030h] 11_2_033637F5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033503E2 mov eax, dword ptr fs:[00000030h] 11_2_033503E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033503E2 mov eax, dword ptr fs:[00000030h] 11_2_033503E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033503E2 mov eax, dword ptr fs:[00000030h] 11_2_033503E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033503E2 mov eax, dword ptr fs:[00000030h] 11_2_033503E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033503E2 mov eax, dword ptr fs:[00000030h] 11_2_033503E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033503E2 mov eax, dword ptr fs:[00000030h] 11_2_033503E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0334DBE9 mov eax, dword ptr fs:[00000030h] 11_2_0334DBE9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A53CA mov eax, dword ptr fs:[00000030h] 11_2_033A53CA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A53CA mov eax, dword ptr fs:[00000030h] 11_2_033A53CA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033DFE3F mov eax, dword ptr fs:[00000030h] 11_2_033DFE3F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332E620 mov eax, dword ptr fs:[00000030h] 11_2_0332E620
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03364A2C mov eax, dword ptr fs:[00000030h] 11_2_03364A2C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03364A2C mov eax, dword ptr fs:[00000030h] 11_2_03364A2C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03325210 mov eax, dword ptr fs:[00000030h] 11_2_03325210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03325210 mov ecx, dword ptr fs:[00000030h] 11_2_03325210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03325210 mov eax, dword ptr fs:[00000030h] 11_2_03325210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03325210 mov eax, dword ptr fs:[00000030h] 11_2_03325210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332AA16 mov eax, dword ptr fs:[00000030h] 11_2_0332AA16
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332AA16 mov eax, dword ptr fs:[00000030h] 11_2_0332AA16
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03343A1C mov eax, dword ptr fs:[00000030h] 11_2_03343A1C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335A61C mov eax, dword ptr fs:[00000030h] 11_2_0335A61C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335A61C mov eax, dword ptr fs:[00000030h] 11_2_0335A61C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332C600 mov eax, dword ptr fs:[00000030h] 11_2_0332C600
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332C600 mov eax, dword ptr fs:[00000030h] 11_2_0332C600
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332C600 mov eax, dword ptr fs:[00000030h] 11_2_0332C600
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03358E00 mov eax, dword ptr fs:[00000030h] 11_2_03358E00
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1608 mov eax, dword ptr fs:[00000030h] 11_2_033E1608
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03338A0A mov eax, dword ptr fs:[00000030h] 11_2_03338A0A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0334AE73 mov eax, dword ptr fs:[00000030h] 11_2_0334AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0334AE73 mov eax, dword ptr fs:[00000030h] 11_2_0334AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0334AE73 mov eax, dword ptr fs:[00000030h] 11_2_0334AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0334AE73 mov eax, dword ptr fs:[00000030h] 11_2_0334AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0334AE73 mov eax, dword ptr fs:[00000030h] 11_2_0334AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0336927A mov eax, dword ptr fs:[00000030h] 11_2_0336927A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033DB260 mov eax, dword ptr fs:[00000030h] 11_2_033DB260
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033DB260 mov eax, dword ptr fs:[00000030h] 11_2_033DB260
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F8A62 mov eax, dword ptr fs:[00000030h] 11_2_033F8A62
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333766D mov eax, dword ptr fs:[00000030h] 11_2_0333766D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033EEA55 mov eax, dword ptr fs:[00000030h] 11_2_033EEA55
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033B4257 mov eax, dword ptr fs:[00000030h] 11_2_033B4257
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03329240 mov eax, dword ptr fs:[00000030h] 11_2_03329240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03329240 mov eax, dword ptr fs:[00000030h] 11_2_03329240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03329240 mov eax, dword ptr fs:[00000030h] 11_2_03329240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03329240 mov eax, dword ptr fs:[00000030h] 11_2_03329240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03337E41 mov eax, dword ptr fs:[00000030h] 11_2_03337E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03337E41 mov eax, dword ptr fs:[00000030h] 11_2_03337E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03337E41 mov eax, dword ptr fs:[00000030h] 11_2_03337E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03337E41 mov eax, dword ptr fs:[00000030h] 11_2_03337E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03337E41 mov eax, dword ptr fs:[00000030h] 11_2_03337E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03337E41 mov eax, dword ptr fs:[00000030h] 11_2_03337E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033EAE44 mov eax, dword ptr fs:[00000030h] 11_2_033EAE44
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033EAE44 mov eax, dword ptr fs:[00000030h] 11_2_033EAE44
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333AAB0 mov eax, dword ptr fs:[00000030h] 11_2_0333AAB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333AAB0 mov eax, dword ptr fs:[00000030h] 11_2_0333AAB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335FAB0 mov eax, dword ptr fs:[00000030h] 11_2_0335FAB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h] 11_2_033252A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h] 11_2_033252A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h] 11_2_033252A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h] 11_2_033252A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h] 11_2_033252A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F0EA5 mov eax, dword ptr fs:[00000030h] 11_2_033F0EA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F0EA5 mov eax, dword ptr fs:[00000030h] 11_2_033F0EA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F0EA5 mov eax, dword ptr fs:[00000030h] 11_2_033F0EA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A46A7 mov eax, dword ptr fs:[00000030h] 11_2_033A46A7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335D294 mov eax, dword ptr fs:[00000030h] 11_2_0335D294
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335D294 mov eax, dword ptr fs:[00000030h] 11_2_0335D294
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033BFE87 mov eax, dword ptr fs:[00000030h] 11_2_033BFE87
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033376E2 mov eax, dword ptr fs:[00000030h] 11_2_033376E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03352AE4 mov eax, dword ptr fs:[00000030h] 11_2_03352AE4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033516E0 mov ecx, dword ptr fs:[00000030h] 11_2_033516E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F8ED6 mov eax, dword ptr fs:[00000030h] 11_2_033F8ED6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03368EC7 mov eax, dword ptr fs:[00000030h] 11_2_03368EC7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033536CC mov eax, dword ptr fs:[00000030h] 11_2_033536CC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033DFEC0 mov eax, dword ptr fs:[00000030h] 11_2_033DFEC0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03352ACB mov eax, dword ptr fs:[00000030h] 11_2_03352ACB
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332AD30 mov eax, dword ptr fs:[00000030h] 11_2_0332AD30
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033EE539 mov eax, dword ptr fs:[00000030h] 11_2_033EE539
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F8D34 mov eax, dword ptr fs:[00000030h] 11_2_033F8D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033AA537 mov eax, dword ptr fs:[00000030h] 11_2_033AA537
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03354D3B mov eax, dword ptr fs:[00000030h] 11_2_03354D3B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03354D3B mov eax, dword ptr fs:[00000030h] 11_2_03354D3B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03354D3B mov eax, dword ptr fs:[00000030h] 11_2_03354D3B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335513A mov eax, dword ptr fs:[00000030h] 11_2_0335513A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335513A mov eax, dword ptr fs:[00000030h] 11_2_0335513A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03344120 mov eax, dword ptr fs:[00000030h] 11_2_03344120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03344120 mov eax, dword ptr fs:[00000030h] 11_2_03344120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03344120 mov eax, dword ptr fs:[00000030h] 11_2_03344120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03344120 mov eax, dword ptr fs:[00000030h] 11_2_03344120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03344120 mov ecx, dword ptr fs:[00000030h] 11_2_03344120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03329100 mov eax, dword ptr fs:[00000030h] 11_2_03329100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03329100 mov eax, dword ptr fs:[00000030h] 11_2_03329100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03329100 mov eax, dword ptr fs:[00000030h] 11_2_03329100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332B171 mov eax, dword ptr fs:[00000030h] 11_2_0332B171
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332B171 mov eax, dword ptr fs:[00000030h] 11_2_0332B171
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0334C577 mov eax, dword ptr fs:[00000030h] 11_2_0334C577
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0334C577 mov eax, dword ptr fs:[00000030h] 11_2_0334C577
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332C962 mov eax, dword ptr fs:[00000030h] 11_2_0332C962
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03347D50 mov eax, dword ptr fs:[00000030h] 11_2_03347D50
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0334B944 mov eax, dword ptr fs:[00000030h] 11_2_0334B944
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0334B944 mov eax, dword ptr fs:[00000030h] 11_2_0334B944
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03363D43 mov eax, dword ptr fs:[00000030h] 11_2_03363D43
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A3540 mov eax, dword ptr fs:[00000030h] 11_2_033A3540
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03351DB5 mov eax, dword ptr fs:[00000030h] 11_2_03351DB5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03351DB5 mov eax, dword ptr fs:[00000030h] 11_2_03351DB5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03351DB5 mov eax, dword ptr fs:[00000030h] 11_2_03351DB5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A51BE mov eax, dword ptr fs:[00000030h] 11_2_033A51BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A51BE mov eax, dword ptr fs:[00000030h] 11_2_033A51BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A51BE mov eax, dword ptr fs:[00000030h] 11_2_033A51BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A51BE mov eax, dword ptr fs:[00000030h] 11_2_033A51BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F05AC mov eax, dword ptr fs:[00000030h] 11_2_033F05AC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F05AC mov eax, dword ptr fs:[00000030h] 11_2_033F05AC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033535A1 mov eax, dword ptr fs:[00000030h] 11_2_033535A1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033561A0 mov eax, dword ptr fs:[00000030h] 11_2_033561A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033561A0 mov eax, dword ptr fs:[00000030h] 11_2_033561A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A69A6 mov eax, dword ptr fs:[00000030h] 11_2_033A69A6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03352990 mov eax, dword ptr fs:[00000030h] 11_2_03352990
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335FD9B mov eax, dword ptr fs:[00000030h] 11_2_0335FD9B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335FD9B mov eax, dword ptr fs:[00000030h] 11_2_0335FD9B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335A185 mov eax, dword ptr fs:[00000030h] 11_2_0335A185
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03352581 mov eax, dword ptr fs:[00000030h] 11_2_03352581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03352581 mov eax, dword ptr fs:[00000030h] 11_2_03352581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03352581 mov eax, dword ptr fs:[00000030h] 11_2_03352581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03352581 mov eax, dword ptr fs:[00000030h] 11_2_03352581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0334C182 mov eax, dword ptr fs:[00000030h] 11_2_0334C182
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h] 11_2_03322D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h] 11_2_03322D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h] 11_2_03322D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h] 11_2_03322D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h] 11_2_03322D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033D8DF1 mov eax, dword ptr fs:[00000030h] 11_2_033D8DF1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332B1E1 mov eax, dword ptr fs:[00000030h] 11_2_0332B1E1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332B1E1 mov eax, dword ptr fs:[00000030h] 11_2_0332B1E1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0332B1E1 mov eax, dword ptr fs:[00000030h] 11_2_0332B1E1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033B41E8 mov eax, dword ptr fs:[00000030h] 11_2_033B41E8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333D5E0 mov eax, dword ptr fs:[00000030h] 11_2_0333D5E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333D5E0 mov eax, dword ptr fs:[00000030h] 11_2_0333D5E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033EFDE2 mov eax, dword ptr fs:[00000030h] 11_2_033EFDE2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033EFDE2 mov eax, dword ptr fs:[00000030h] 11_2_033EFDE2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033EFDE2 mov eax, dword ptr fs:[00000030h] 11_2_033EFDE2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033EFDE2 mov eax, dword ptr fs:[00000030h] 11_2_033EFDE2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A6DC9 mov eax, dword ptr fs:[00000030h] 11_2_033A6DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A6DC9 mov eax, dword ptr fs:[00000030h] 11_2_033A6DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A6DC9 mov eax, dword ptr fs:[00000030h] 11_2_033A6DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A6DC9 mov ecx, dword ptr fs:[00000030h] 11_2_033A6DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A6DC9 mov eax, dword ptr fs:[00000030h] 11_2_033A6DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A6DC9 mov eax, dword ptr fs:[00000030h] 11_2_033A6DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335002D mov eax, dword ptr fs:[00000030h] 11_2_0335002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335002D mov eax, dword ptr fs:[00000030h] 11_2_0335002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335002D mov eax, dword ptr fs:[00000030h] 11_2_0335002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335002D mov eax, dword ptr fs:[00000030h] 11_2_0335002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335002D mov eax, dword ptr fs:[00000030h] 11_2_0335002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333B02A mov eax, dword ptr fs:[00000030h] 11_2_0333B02A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333B02A mov eax, dword ptr fs:[00000030h] 11_2_0333B02A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333B02A mov eax, dword ptr fs:[00000030h] 11_2_0333B02A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0333B02A mov eax, dword ptr fs:[00000030h] 11_2_0333B02A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_0335BC2C mov eax, dword ptr fs:[00000030h] 11_2_0335BC2C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F4015 mov eax, dword ptr fs:[00000030h] 11_2_033F4015
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F4015 mov eax, dword ptr fs:[00000030h] 11_2_033F4015
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A7016 mov eax, dword ptr fs:[00000030h] 11_2_033A7016
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A7016 mov eax, dword ptr fs:[00000030h] 11_2_033A7016
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A7016 mov eax, dword ptr fs:[00000030h] 11_2_033A7016
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A6C0A mov eax, dword ptr fs:[00000030h] 11_2_033A6C0A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A6C0A mov eax, dword ptr fs:[00000030h] 11_2_033A6C0A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A6C0A mov eax, dword ptr fs:[00000030h] 11_2_033A6C0A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033A6C0A mov eax, dword ptr fs:[00000030h] 11_2_033A6C0A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F740D mov eax, dword ptr fs:[00000030h] 11_2_033F740D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F740D mov eax, dword ptr fs:[00000030h] 11_2_033F740D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033F740D mov eax, dword ptr fs:[00000030h] 11_2_033F740D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 1_2_0040ACF0 LdrLoadDll, 1_2_0040ACF0

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: FA0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Memory written: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Thread register set: target process: 4636 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe "C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe" Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe" Jump to behavior
Source: explorer.exe, 00000004.00000000.400933847.0000000004F80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.372434615.00000000083EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.379442047.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.406682717.00000000083EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.366258257.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.391671803.00000000083EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.398942795.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.398387239.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.365948444.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.379442047.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.378992987.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.366258257.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.398942795.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.569698157.0000000005680000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.601472852.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.609013928.0000000005680000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.562272116.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.538860385.0000000005680000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.379442047.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.366258257.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.398942795.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000004.00000000.379442047.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.366258257.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.398942795.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000014.00000000.603455559.0000000004560000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.563664219.0000000004560000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanng
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405AA7

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.636107094.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.359424691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.635990166.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.360270037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.435840268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.409581872.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.362630153.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436793150.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.394582472.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.634911519.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436005605.00000000009A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL AWB TRACKING DETAILS.exe.2f10000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL AWB TRACKING DETAILS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL AWB TRACKING DETAILS.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.636107094.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.359424691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.635990166.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.360270037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.435840268.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.409581872.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.362630153.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436793150.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.394582472.000000000F123000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.634911519.0000000000A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436005605.00000000009A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562043 Sample: DHL AWB TRACKING DETAILS.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 33 www.chinaanalysisgroup.com 2->33 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 8 other signatures 2->49 11 DHL AWB TRACKING DETAILS.exe 19 2->11         started        15 explorer.exe 10 2->15         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\vzhghptrhu.dll, PE32 11->31 dropped 59 Injects a PE file into a foreign processes 11->59 17 DHL AWB TRACKING DETAILS.exe 11->17         started        signatures6 process7 signatures8 35 Modifies the context of a thread in another process (thread injection) 17->35 37 Maps a DLL or memory area into another process 17->37 39 Sample uses process hollowing technique 17->39 41 Queues an APC in another process (thread injection) 17->41 20 explorer.exe 17->20 injected process9 process10 22 wlanext.exe 20->22         started        signatures11 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        27 explorer.exe 2 153 22->27         started        process12 process13 29 conhost.exe 25->29         started       
No contacted IP infos

Contacted Domains

Name IP Active
www.chinaanalysisgroup.com 94.136.40.51 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.hdetpnipa.xyz/a34b/ true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: phishing
 low