Windows Analysis Report
DHL WB# 2343640950.exe

Overview

General Information

Sample Name:	DHL WB# 2343640950.exe
Analysis ID:	635258
MD5:	81e4012e3036befd629438ace2e798e2
SHA1:	d5b34d7dd4d4255fd3279bdd99c98b9e760bb34c
SHA256:	bcd31729e663369b99fd178377977c5de078512046d2cb4b38c51d80d9801374
Tags:	DHLexeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Self deletion via cmd or bat file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Modifies the prolog of user mode functions (user mode inline hooks)

.NET source code contains potential unpacker

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.studiomayuko.com/183b/"], "decoy": ["textilestyle.online", "decorarteperu.com", "commonsensedigitalmarketing.biz", "yumkb.com", "brambletonsummercamp.com", "fug.life", "grandforest.space", "opmbettersvault.com", "rheintv.com", "blagodatbilja.store", "maxpw.com", "vital-roots.com", "lotte-finance5.com", "socalcrypto.network", "extra-pays.site", "mmaster.xyz", "electriccarsinfohubs.com", "qshid.life", "digitalqp.com", "golfsaudiarabia.com", "dreaminfolks.com", "smartlearningtoy.com", "paycheckstubonlin.com", "allsagesbookstore.com", "evicts.xyz", "universalorlandoyout.com", "mannaka-chokusou.com", "zhisou100.xyz", "century21judgefit.com", "taphrconsultancy.com", "simettrixstudio.com", "thebestutensilios.com", "diabeticinsurancebroker.com", "importantmarks.com", "masterpier.com", "spd201.com", "annuelcridetreport.com", "c2cvision.com", "smithridge.net", "teamsfos.com", "asiritatli.com", "dreamcastlesproperties.com", "care-supporters.com", "vw-4s.com", "216627.com", "xnotconotyogurt.com", "veganfund.net", "bricksofathens.com", "avroty.online", "thinkerquote.com", "registerbosc.com", "atlantarunningtours.com", "citragaming.com", "orientadorluismi.com", "eternaprimaverapr.com", "mysuperplate.com", "xydict.net", "clairetrost.com", "khopkhangtho.space", "budhu-law.com", "gaozhong.online", "sammserviices.com", "whiseltiess.com", "businessmindfulness.store"]}

Multi AV Scanner detection for submitted file

Source: DHL WB# 2343640950.exe	Virustotal: Detection: 47%			Perma Link
Source: DHL WB# 2343640950.exe	ReversingLabs: Detection: 21%

Yara detected FormBook

Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Uses 32bit PE files

Source: DHL WB# 2343640950.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DHL WB# 2343640950.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmstp.pdbGCTL source: DHL WB# 2343640950.exe, 00000005.00000002.512345140.0000000003740000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL WB# 2343640950.exe, 00000005.00000002.509487219.0000000001870000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.418665497.000000000153E000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000002.510678175.000000000198F000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.421562441.00000000016DC000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.510313145.0000000000EED000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.508015747.0000000000D46000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642289231.0000000004680000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642488316.000000000479F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL WB# 2343640950.exe, 00000005.00000002.509487219.0000000001870000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.418665497.000000000153E000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000002.510678175.000000000198F000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.421562441.00000000016DC000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000D.00000003.510313145.0000000000EED000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.508015747.0000000000D46000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642289231.0000000004680000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642488316.000000000479F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: DHL WB# 2343640950.exe, 00000005.00000002.512345140.0000000003740000.00000040.10000000.00040000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 4x nop then pop edi		5_2_0040E47A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi		13_2_0061E47A

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.paycheckstubonlin.com
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.171 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.studiomayuko.com/183b/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /183b/?3f=0pQLi&GTWHLhf=aeRI+VtYzSQE3A1d41SuiJFmY5rxFnxGMgk+ebPO7waK3tnPCQEIkRgDBSC82MoPtV6fY2DLrg== HTTP/1.1Host: www.paycheckstubonlin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 27 May 2022 15:59:34 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.375029769.00000000055B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL WB# 2343640950.exe, 00000000.00000003.377133904.00000000055A7000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.377503899.00000000055A7000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378545531.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.376858559.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378033564.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.377574826.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378644300.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.376377568.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378324382.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.376750190.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.377095056.00000000055A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DHL WB# 2343640950.exe, 00000000.00000003.377133904.00000000055A7000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.377503899.00000000055A7000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378545531.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.380503275.00000000055A7000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.376858559.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.379031205.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378033564.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.377574826.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378644300.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.376377568.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378324382.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.381687286.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.376750190.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.377095056.00000000055A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comttp
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL WB# 2343640950.exe, 00000000.00000003.382147355.00000000055A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL WB# 2343640950.exe, 00000000.00000003.383046028.00000000055D4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.383254350.00000000055D4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.383176460.00000000055D4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.383369016.00000000055D4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.383430136.00000000055D4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.383112465.00000000055D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL WB# 2343640950.exe, 00000000.00000003.382147355.00000000055A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: DHL WB# 2343640950.exe, 00000000.00000002.427545975.00000000055A0000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.420192767.00000000055A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrita
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: DHL WB# 2343640950.exe, 00000000.00000003.371964876.00000000055DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com8
Source: DHL WB# 2343640950.exe, 00000000.00000003.371854007.00000000055DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comT?
Source: DHL WB# 2343640950.exe, 00000000.00000003.374059324.00000000055AF000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL WB# 2343640950.exe, 00000000.00000003.374059324.00000000055AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn%
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL WB# 2343640950.exe, 00000000.00000003.386580488.00000000055E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DHL WB# 2343640950.exe, 00000000.00000003.371017515.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.370840690.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.370831210.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.370858429.00000000055DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DHL WB# 2343640950.exe, 00000000.00000003.371017515.00000000055DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com&
Source: DHL WB# 2343640950.exe, 00000000.00000003.371017515.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.370858429.00000000055DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com4
Source: DHL WB# 2343640950.exe, 00000000.00000003.370858429.00000000055DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comhy/
Source: DHL WB# 2343640950.exe, 00000000.00000003.371017515.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.370840690.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.370858429.00000000055DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comw
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: www.paycheckstubonlin.com

Source: global traffic

Creates a DirectInput object (often for capturing keystrokes)

Source: DHL WB# 2343640950.exe, 00000000.00000002.421545726.0000000000A98000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.DHL WB# 2343640950.exe.6fd0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.DHL WB# 2343640950.exe.6fd0000.9.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.428458566.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: DHL WB# 2343640950.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe

Yara signature match

Source: 0.2.DHL WB# 2343640950.exe.6fd0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DHL WB# 2343640950.exe.6fd0000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.428458566.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_002B8791	0_2_002B8791
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257D15C	0_2_0257D15C
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257B094	0_2_0257B094
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257F5B2	0_2_0257F5B2
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257DB30	0_2_0257DB30
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257DB22	0_2_0257DB22
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 4_2_00278739	4_2_00278739
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 4_2_00278701	4_2_00278701
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041E85D	5_2_0041E85D
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041D863	5_2_0041D863
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041EBC3	5_2_0041EBC3
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041EBC6	5_2_0041EBC6
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041DD18	5_2_0041DD18
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00402D8C	5_2_00402D8C
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00409E60	5_2_00409E60
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00D88701	5_2_00D88701
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00D88739	5_2_00D88739
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761002	13_2_04761002
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B841F	13_2_046B841F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047720A8	13_2_047720A8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BB090	13_2_046BB090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04771D55	13_2_04771D55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A0D20	13_2_046A0D20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C4120	13_2_046C4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AF900	13_2_046AF900
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04772D07	13_2_04772D07
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BD5E0	13_2_046BD5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2581	13_2_046D2581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C6E30	13_2_046C6E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04772EF7	13_2_04772EF7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047722AE	13_2_047722AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04772B28	13_2_04772B28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04771FF1	13_2_04771FF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476DBD2	13_2_0476DBD2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DEBB0	13_2_046DEBB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062E85D	13_2_0062E85D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062EBC3	13_2_0062EBC3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062EBC6	13_2_0062EBC6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_00612D8C	13_2_00612D8C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_00612D90	13_2_00612D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_00619E60	13_2_00619E60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_00612FB0	13_2_00612FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: String function: 046AB150 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A360 NtCreateFile,	5_2_0041A360
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A410 NtReadFile,	5_2_0041A410
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A490 NtClose,	5_2_0041A490
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A540 NtAllocateVirtualMemory,	5_2_0041A540
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A35A NtCreateFile,	5_2_0041A35A
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A40A NtReadFile,	5_2_0041A40A
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A48A NtClose,	5_2_0041A48A
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A542 NtAllocateVirtualMemory,	5_2_0041A542
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9860 NtQuerySystemInformation,LdrInitializeThunk,	13_2_046E9860
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9840 NtDelayExecution,LdrInitializeThunk,	13_2_046E9840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9540 NtReadFile,LdrInitializeThunk,	13_2_046E9540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_046E9910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E95D0 NtClose,LdrInitializeThunk,	13_2_046E95D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E99A0 NtCreateSection,LdrInitializeThunk,	13_2_046E99A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_046E9660
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9650 NtQueryValueKey,LdrInitializeThunk,	13_2_046E9650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9A50 NtCreateFile,LdrInitializeThunk,	13_2_046E9A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_046E96E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E96D0 NtCreateKey,LdrInitializeThunk,	13_2_046E96D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9710 NtQueryInformationToken,LdrInitializeThunk,	13_2_046E9710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9FE0 NtCreateMutant,LdrInitializeThunk,	13_2_046E9FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9780 NtMapViewOfSection,LdrInitializeThunk,	13_2_046E9780
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046EB040 NtSuspendThread,	13_2_046EB040
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9820 NtEnumerateKey,	13_2_046E9820
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E98F0 NtReadVirtualMemory,	13_2_046E98F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E98A0 NtWriteVirtualMemory,	13_2_046E98A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9560 NtWriteFile,	13_2_046E9560
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9950 NtQueueApcThread,	13_2_046E9950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9520 NtWaitForSingleObject,	13_2_046E9520
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046EAD30 NtSetContextThread,	13_2_046EAD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E95F0 NtQueryInformationFile,	13_2_046E95F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E99D0 NtCreateProcessEx,	13_2_046E99D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9670 NtQueryInformationProcess,	13_2_046E9670
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9A20 NtResumeThread,	13_2_046E9A20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9A00 NtProtectVirtualMemory,	13_2_046E9A00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9610 NtEnumerateValueKey,	13_2_046E9610
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9A10 NtQuerySection,	13_2_046E9A10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9A80 NtOpenDirectoryObject,	13_2_046E9A80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9760 NtOpenProcess,	13_2_046E9760
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9770 NtSetInformationFile,	13_2_046E9770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046EA770 NtOpenThread,	13_2_046EA770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9730 NtQueryVirtualMemory,	13_2_046E9730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9B00 NtSetValueKey,	13_2_046E9B00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046EA710 NtOpenProcessToken,	13_2_046EA710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E97A0 NtUnmapViewOfSection,	13_2_046E97A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046EA3B0 NtGetContextThread,	13_2_046EA3B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A360 NtCreateFile,	13_2_0062A360
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A410 NtReadFile,	13_2_0062A410
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A490 NtClose,	13_2_0062A490
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A540 NtAllocateVirtualMemory,	13_2_0062A540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A35A NtCreateFile,	13_2_0062A35A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A40A NtReadFile,	13_2_0062A40A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A48A NtClose,	13_2_0062A48A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A542 NtAllocateVirtualMemory,	13_2_0062A542

Sample file is different than original file name gathered from version info

Source: DHL WB# 2343640950.exe, 00000000.00000002.420496255.000000000035C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFixupD.exe@ vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIVectorView.dllN vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000000.00000002.428458566.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIVectorView.dllN vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000004.00000000.409784167.000000000031C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFixupD.exe@ vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000005.00000000.414092644.0000000000E2C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFixupD.exe@ vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000005.00000002.511874001.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000005.00000003.421990942.00000000017FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000005.00000003.418819728.0000000001654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000005.00000002.512345140.0000000003740000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000005.00000002.510678175.000000000198F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe	Binary or memory string: OriginalFilenameFixupD.exe@ vs DHL WB# 2343640950.exe

Source: DHL WB# 2343640950.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: DHL WB# 2343640950.exe	Virustotal: Detection: 47%
Source: DHL WB# 2343640950.exe	ReversingLabs: Detection: 21%

Source: DHL WB# 2343640950.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe "C:\Users\user\Desktop\DHL WB# 2343640950.exe"
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe C:\Users\user\Desktop\DHL WB# 2343640950.exe
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe C:\Users\user\Desktop\DHL WB# 2343640950.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL WB# 2343640950.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe C:\Users\user\Desktop\DHL WB# 2343640950.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe C:\Users\user\Desktop\DHL WB# 2343640950.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL WB# 2343640950.exe"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL WB# 2343640950.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/1@1/1

Source: DHL WB# 2343640950.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DHL WB# 2343640950.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL WB# 2343640950.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmstp.pdbGCTL source: DHL WB# 2343640950.exe, 00000005.00000002.512345140.0000000003740000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL WB# 2343640950.exe, 00000005.00000002.509487219.0000000001870000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.418665497.000000000153E000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000002.510678175.000000000198F000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.421562441.00000000016DC000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.510313145.0000000000EED000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.508015747.0000000000D46000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642289231.0000000004680000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642488316.000000000479F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL WB# 2343640950.exe, 00000005.00000002.509487219.0000000001870000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.418665497.000000000153E000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000002.510678175.000000000198F000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.421562441.00000000016DC000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000D.00000003.510313145.0000000000EED000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.508015747.0000000000D46000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642289231.0000000004680000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642488316.000000000479F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: DHL WB# 2343640950.exe, 00000005.00000002.512345140.0000000003740000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: DHL WB# 2343640950.exe, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.DHL WB# 2343640950.exe.2b0000.0.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.DHL WB# 2343640950.exe.2b0000.0.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL WB# 2343640950.exe.270000.2.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.DHL WB# 2343640950.exe.270000.0.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL WB# 2343640950.exe.270000.1.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL WB# 2343640950.exe.270000.3.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL WB# 2343640950.exe.270000.0.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.DHL WB# 2343640950.exe.d80000.3.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.DHL WB# 2343640950.exe.d80000.7.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.DHL WB# 2343640950.exe.d80000.2.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.DHL WB# 2343640950.exe.d80000.9.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.DHL WB# 2343640950.exe.d80000.1.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257F162 pushfd ; iretd	0_2_0257F1C1
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257F160 pushad ; iretd	0_2_0257F161
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041EA33 push cs; ret	5_2_0041EA34
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00405AC2 push ecx; retf	5_2_00405AC7
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_004172E0 push FFFFFF83h; ret	5_2_004172F3
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0040E3AF push cs; retf	5_2_0040E3B1
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041E461 push dword ptr [BC323EF3h]; ret	5_2_0041E4F2
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041D4B5 push eax; ret	5_2_0041D508
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041D56C push eax; ret	5_2_0041D572
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041D502 push eax; ret	5_2_0041D508
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041D50B push eax; ret	5_2_0041D572
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0040C6BA push ecx; retf	5_2_0040C6BB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046FD0D1 push ecx; ret	13_2_046FD0E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062EA33 push cs; ret	13_2_0062EA34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_006272E0 push FFFFFF83h; ret	13_2_006272F3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_00615AC2 push ecx; retf	13_2_00615AC7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0061E3AF push cs; retf	13_2_0061E3B1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062E4A3 push dword ptr [BC323EF3h]; ret	13_2_0062E4F2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062D4B5 push eax; ret	13_2_0062D508
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062D56C push eax; ret	13_2_0062D572
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062D502 push eax; ret	13_2_0062D508
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062D50B push eax; ret	13_2_0062D572
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062DED8 push ss; ret	13_2_0062DED9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062DEB0 push esi; retf	13_2_0062DEB1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0061C6BA push ecx; retf	13_2_0061C6BB

Source: initial sample

Static PE information: section name: .text entropy: 7.85849718872

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Windows\SysWOW64\cmstp.exe	Process created: /c del "C:\Users\user\Desktop\DHL WB# 2343640950.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: /c del "C:\Users\user\Desktop\DHL WB# 2343640950.exe"			Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xED

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL WB# 2343640950.exe PID: 7048, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DHL WB# 2343640950.exe, 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: DHL WB# 2343640950.exe, 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000000619904 second address: 000000000061990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000000619B7E second address: 0000000000619B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe TID: 7052	Thread sleep time: -43731s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe TID: 7100	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\cmstp.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Code function: 0_2_002BB65D rdtsc

0_2_002BB65D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\cmstp.exe

API coverage: 9.7 %

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Thread delayed: delay time: 43731			Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: DHL WB# 2343640950.exe, 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000008.00000000.434497528.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL WB# 2343640950.exe, 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000008.00000000.434708210.000000000807C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000008.00000000.434497528.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
Source: explorer.exe, 00000008.00000000.430072276.0000000006153000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000008.00000000.434708210.000000000807C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I
Source: explorer.exe, 00000008.00000000.434708210.000000000807C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000008.00000000.455709980.0000000004347000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}3
Source: explorer.exe, 00000008.00000000.476095288.00000000042EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^
Source: DHL WB# 2343640950.exe, 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000008.00000000.543849828.00000000042A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O
Source: DHL WB# 2343640950.exe, 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Code function: 0_2_002BB65D rdtsc

0_2_002BB65D

Enables debug privileges

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process token adjusted: Debug	Jump to behavior

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C746D mov eax, dword ptr fs:[00000030h]	13_2_046C746D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04771074 mov eax, dword ptr fs:[00000030h]	13_2_04771074
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04762073 mov eax, dword ptr fs:[00000030h]	13_2_04762073
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473C450 mov eax, dword ptr fs:[00000030h]	13_2_0473C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473C450 mov eax, dword ptr fs:[00000030h]	13_2_0473C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DA44B mov eax, dword ptr fs:[00000030h]	13_2_046DA44B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C0050 mov eax, dword ptr fs:[00000030h]	13_2_046C0050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C0050 mov eax, dword ptr fs:[00000030h]	13_2_046C0050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h]	13_2_046D002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h]	13_2_046D002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h]	13_2_046D002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h]	13_2_046D002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h]	13_2_046D002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BB02A mov eax, dword ptr fs:[00000030h]	13_2_046BB02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BB02A mov eax, dword ptr fs:[00000030h]	13_2_046BB02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BB02A mov eax, dword ptr fs:[00000030h]	13_2_046BB02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BB02A mov eax, dword ptr fs:[00000030h]	13_2_046BB02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DBC2C mov eax, dword ptr fs:[00000030h]	13_2_046DBC2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04774015 mov eax, dword ptr fs:[00000030h]	13_2_04774015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04774015 mov eax, dword ptr fs:[00000030h]	13_2_04774015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04727016 mov eax, dword ptr fs:[00000030h]	13_2_04727016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04727016 mov eax, dword ptr fs:[00000030h]	13_2_04727016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04727016 mov eax, dword ptr fs:[00000030h]	13_2_04727016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726C0A mov eax, dword ptr fs:[00000030h]	13_2_04726C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726C0A mov eax, dword ptr fs:[00000030h]	13_2_04726C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726C0A mov eax, dword ptr fs:[00000030h]	13_2_04726C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726C0A mov eax, dword ptr fs:[00000030h]	13_2_04726C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0477740D mov eax, dword ptr fs:[00000030h]	13_2_0477740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0477740D mov eax, dword ptr fs:[00000030h]	13_2_0477740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0477740D mov eax, dword ptr fs:[00000030h]	13_2_0477740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726CF0 mov eax, dword ptr fs:[00000030h]	13_2_04726CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726CF0 mov eax, dword ptr fs:[00000030h]	13_2_04726CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726CF0 mov eax, dword ptr fs:[00000030h]	13_2_04726CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A58EC mov eax, dword ptr fs:[00000030h]	13_2_046A58EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047614FB mov eax, dword ptr fs:[00000030h]	13_2_047614FB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04778CD6 mov eax, dword ptr fs:[00000030h]	13_2_04778CD6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h]	13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473B8D0 mov ecx, dword ptr fs:[00000030h]	13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h]	13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h]	13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h]	13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h]	13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E90AF mov eax, dword ptr fs:[00000030h]	13_2_046E90AF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h]	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h]	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h]	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h]	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h]	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h]	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DF0BF mov ecx, dword ptr fs:[00000030h]	13_2_046DF0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DF0BF mov eax, dword ptr fs:[00000030h]	13_2_046DF0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DF0BF mov eax, dword ptr fs:[00000030h]	13_2_046DF0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9080 mov eax, dword ptr fs:[00000030h]	13_2_046A9080
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B849B mov eax, dword ptr fs:[00000030h]	13_2_046B849B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04723884 mov eax, dword ptr fs:[00000030h]	13_2_04723884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04723884 mov eax, dword ptr fs:[00000030h]	13_2_04723884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AC962 mov eax, dword ptr fs:[00000030h]	13_2_046AC962
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AB171 mov eax, dword ptr fs:[00000030h]	13_2_046AB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AB171 mov eax, dword ptr fs:[00000030h]	13_2_046AB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CC577 mov eax, dword ptr fs:[00000030h]	13_2_046CC577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CC577 mov eax, dword ptr fs:[00000030h]	13_2_046CC577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CB944 mov eax, dword ptr fs:[00000030h]	13_2_046CB944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CB944 mov eax, dword ptr fs:[00000030h]	13_2_046CB944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E3D43 mov eax, dword ptr fs:[00000030h]	13_2_046E3D43
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04723540 mov eax, dword ptr fs:[00000030h]	13_2_04723540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C7D50 mov eax, dword ptr fs:[00000030h]	13_2_046C7D50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04778D34 mov eax, dword ptr fs:[00000030h]	13_2_04778D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0472A537 mov eax, dword ptr fs:[00000030h]	13_2_0472A537
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C4120 mov eax, dword ptr fs:[00000030h]	13_2_046C4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C4120 mov eax, dword ptr fs:[00000030h]	13_2_046C4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C4120 mov eax, dword ptr fs:[00000030h]	13_2_046C4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C4120 mov eax, dword ptr fs:[00000030h]	13_2_046C4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C4120 mov ecx, dword ptr fs:[00000030h]	13_2_046C4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D4D3B mov eax, dword ptr fs:[00000030h]	13_2_046D4D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D4D3B mov eax, dword ptr fs:[00000030h]	13_2_046D4D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D4D3B mov eax, dword ptr fs:[00000030h]	13_2_046D4D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D513A mov eax, dword ptr fs:[00000030h]	13_2_046D513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D513A mov eax, dword ptr fs:[00000030h]	13_2_046D513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AAD30 mov eax, dword ptr fs:[00000030h]	13_2_046AAD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9100 mov eax, dword ptr fs:[00000030h]	13_2_046A9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9100 mov eax, dword ptr fs:[00000030h]	13_2_046A9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9100 mov eax, dword ptr fs:[00000030h]	13_2_046A9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04758DF1 mov eax, dword ptr fs:[00000030h]	13_2_04758DF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AB1E1 mov eax, dword ptr fs:[00000030h]	13_2_046AB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AB1E1 mov eax, dword ptr fs:[00000030h]	13_2_046AB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AB1E1 mov eax, dword ptr fs:[00000030h]	13_2_046AB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BD5E0 mov eax, dword ptr fs:[00000030h]	13_2_046BD5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BD5E0 mov eax, dword ptr fs:[00000030h]	13_2_046BD5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476FDE2 mov eax, dword ptr fs:[00000030h]	13_2_0476FDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476FDE2 mov eax, dword ptr fs:[00000030h]	13_2_0476FDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476FDE2 mov eax, dword ptr fs:[00000030h]	13_2_0476FDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476FDE2 mov eax, dword ptr fs:[00000030h]	13_2_0476FDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047341E8 mov eax, dword ptr fs:[00000030h]	13_2_047341E8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h]	13_2_04726DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h]	13_2_04726DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h]	13_2_04726DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726DC9 mov ecx, dword ptr fs:[00000030h]	13_2_04726DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h]	13_2_04726DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h]	13_2_04726DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D35A1 mov eax, dword ptr fs:[00000030h]	13_2_046D35A1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047251BE mov eax, dword ptr fs:[00000030h]	13_2_047251BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047251BE mov eax, dword ptr fs:[00000030h]	13_2_047251BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047251BE mov eax, dword ptr fs:[00000030h]	13_2_047251BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047251BE mov eax, dword ptr fs:[00000030h]	13_2_047251BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D61A0 mov eax, dword ptr fs:[00000030h]	13_2_046D61A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D61A0 mov eax, dword ptr fs:[00000030h]	13_2_046D61A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047269A6 mov eax, dword ptr fs:[00000030h]	13_2_047269A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D1DB5 mov eax, dword ptr fs:[00000030h]	13_2_046D1DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D1DB5 mov eax, dword ptr fs:[00000030h]	13_2_046D1DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D1DB5 mov eax, dword ptr fs:[00000030h]	13_2_046D1DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047705AC mov eax, dword ptr fs:[00000030h]	13_2_047705AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047705AC mov eax, dword ptr fs:[00000030h]	13_2_047705AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h]	13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h]	13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h]	13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h]	13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h]	13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DA185 mov eax, dword ptr fs:[00000030h]	13_2_046DA185
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2581 mov eax, dword ptr fs:[00000030h]	13_2_046D2581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2581 mov eax, dword ptr fs:[00000030h]	13_2_046D2581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2581 mov eax, dword ptr fs:[00000030h]	13_2_046D2581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2581 mov eax, dword ptr fs:[00000030h]	13_2_046D2581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CC182 mov eax, dword ptr fs:[00000030h]	13_2_046CC182
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DFD9B mov eax, dword ptr fs:[00000030h]	13_2_046DFD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DFD9B mov eax, dword ptr fs:[00000030h]	13_2_046DFD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2990 mov eax, dword ptr fs:[00000030h]	13_2_046D2990
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B766D mov eax, dword ptr fs:[00000030h]	13_2_046B766D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E927A mov eax, dword ptr fs:[00000030h]	13_2_046E927A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0475B260 mov eax, dword ptr fs:[00000030h]	13_2_0475B260
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0475B260 mov eax, dword ptr fs:[00000030h]	13_2_0475B260
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04778A62 mov eax, dword ptr fs:[00000030h]	13_2_04778A62
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h]	13_2_046CAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h]	13_2_046CAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h]	13_2_046CAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h]	13_2_046CAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h]	13_2_046CAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476EA55 mov eax, dword ptr fs:[00000030h]	13_2_0476EA55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04734257 mov eax, dword ptr fs:[00000030h]	13_2_04734257
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9240 mov eax, dword ptr fs:[00000030h]	13_2_046A9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9240 mov eax, dword ptr fs:[00000030h]	13_2_046A9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9240 mov eax, dword ptr fs:[00000030h]	13_2_046A9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9240 mov eax, dword ptr fs:[00000030h]	13_2_046A9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h]	13_2_046B7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h]	13_2_046B7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h]	13_2_046B7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h]	13_2_046B7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h]	13_2_046B7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h]	13_2_046B7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E4A2C mov eax, dword ptr fs:[00000030h]	13_2_046E4A2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E4A2C mov eax, dword ptr fs:[00000030h]	13_2_046E4A2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0475FE3F mov eax, dword ptr fs:[00000030h]	13_2_0475FE3F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AE620 mov eax, dword ptr fs:[00000030h]	13_2_046AE620
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B8A0A mov eax, dword ptr fs:[00000030h]	13_2_046B8A0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AC600 mov eax, dword ptr fs:[00000030h]	13_2_046AC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AC600 mov eax, dword ptr fs:[00000030h]	13_2_046AC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AC600 mov eax, dword ptr fs:[00000030h]	13_2_046AC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D8E00 mov eax, dword ptr fs:[00000030h]	13_2_046D8E00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C3A1C mov eax, dword ptr fs:[00000030h]	13_2_046C3A1C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DA61C mov eax, dword ptr fs:[00000030h]	13_2_046DA61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DA61C mov eax, dword ptr fs:[00000030h]	13_2_046DA61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A5210 mov eax, dword ptr fs:[00000030h]	13_2_046A5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A5210 mov ecx, dword ptr fs:[00000030h]	13_2_046A5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A5210 mov eax, dword ptr fs:[00000030h]	13_2_046A5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A5210 mov eax, dword ptr fs:[00000030h]	13_2_046A5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AAA16 mov eax, dword ptr fs:[00000030h]	13_2_046AAA16
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AAA16 mov eax, dword ptr fs:[00000030h]	13_2_046AAA16
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761608 mov eax, dword ptr fs:[00000030h]	13_2_04761608
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B76E2 mov eax, dword ptr fs:[00000030h]	13_2_046B76E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2AE4 mov eax, dword ptr fs:[00000030h]	13_2_046D2AE4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D16E0 mov ecx, dword ptr fs:[00000030h]	13_2_046D16E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04778ED6 mov eax, dword ptr fs:[00000030h]	13_2_04778ED6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D36CC mov eax, dword ptr fs:[00000030h]	13_2_046D36CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2ACB mov eax, dword ptr fs:[00000030h]	13_2_046D2ACB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E8EC7 mov eax, dword ptr fs:[00000030h]	13_2_046E8EC7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0475FEC0 mov eax, dword ptr fs:[00000030h]	13_2_0475FEC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h]	13_2_046A52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h]	13_2_046A52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h]	13_2_046A52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h]	13_2_046A52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h]	13_2_046A52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04770EA5 mov eax, dword ptr fs:[00000030h]	13_2_04770EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04770EA5 mov eax, dword ptr fs:[00000030h]	13_2_04770EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04770EA5 mov eax, dword ptr fs:[00000030h]	13_2_04770EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047246A7 mov eax, dword ptr fs:[00000030h]	13_2_047246A7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BAAB0 mov eax, dword ptr fs:[00000030h]	13_2_046BAAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BAAB0 mov eax, dword ptr fs:[00000030h]	13_2_046BAAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DFAB0 mov eax, dword ptr fs:[00000030h]	13_2_046DFAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473FE87 mov eax, dword ptr fs:[00000030h]	13_2_0473FE87
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DD294 mov eax, dword ptr fs:[00000030h]	13_2_046DD294
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DD294 mov eax, dword ptr fs:[00000030h]	13_2_046DD294
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046ADB60 mov ecx, dword ptr fs:[00000030h]	13_2_046ADB60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BFF60 mov eax, dword ptr fs:[00000030h]	13_2_046BFF60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D3B7A mov eax, dword ptr fs:[00000030h]	13_2_046D3B7A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D3B7A mov eax, dword ptr fs:[00000030h]	13_2_046D3B7A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04778F6A mov eax, dword ptr fs:[00000030h]	13_2_04778F6A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046ADB40 mov eax, dword ptr fs:[00000030h]	13_2_046ADB40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BEF40 mov eax, dword ptr fs:[00000030h]	13_2_046BEF40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04778B58 mov eax, dword ptr fs:[00000030h]	13_2_04778B58
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AF358 mov eax, dword ptr fs:[00000030h]	13_2_046AF358
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A4F2E mov eax, dword ptr fs:[00000030h]	13_2_046A4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A4F2E mov eax, dword ptr fs:[00000030h]	13_2_046A4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DE730 mov eax, dword ptr fs:[00000030h]	13_2_046DE730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473FF10 mov eax, dword ptr fs:[00000030h]	13_2_0473FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473FF10 mov eax, dword ptr fs:[00000030h]	13_2_0473FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DA70E mov eax, dword ptr fs:[00000030h]	13_2_046DA70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DA70E mov eax, dword ptr fs:[00000030h]	13_2_046DA70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476131B mov eax, dword ptr fs:[00000030h]	13_2_0476131B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0477070D mov eax, dword ptr fs:[00000030h]	13_2_0477070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0477070D mov eax, dword ptr fs:[00000030h]	13_2_0477070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CF716 mov eax, dword ptr fs:[00000030h]	13_2_046CF716
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CDBE9 mov eax, dword ptr fs:[00000030h]	13_2_046CDBE9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h]	13_2_046D03E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h]	13_2_046D03E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h]	13_2_046D03E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h]	13_2_046D03E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h]	13_2_046D03E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h]	13_2_046D03E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E37F5 mov eax, dword ptr fs:[00000030h]	13_2_046E37F5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047253CA mov eax, dword ptr fs:[00000030h]	13_2_047253CA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047253CA mov eax, dword ptr fs:[00000030h]	13_2_047253CA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D4BAD mov eax, dword ptr fs:[00000030h]	13_2_046D4BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D4BAD mov eax, dword ptr fs:[00000030h]	13_2_046D4BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D4BAD mov eax, dword ptr fs:[00000030h]	13_2_046D4BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04775BA5 mov eax, dword ptr fs:[00000030h]	13_2_04775BA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B1B8F mov eax, dword ptr fs:[00000030h]	13_2_046B1B8F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B1B8F mov eax, dword ptr fs:[00000030h]	13_2_046B1B8F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04727794 mov eax, dword ptr fs:[00000030h]	13_2_04727794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04727794 mov eax, dword ptr fs:[00000030h]	13_2_04727794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04727794 mov eax, dword ptr fs:[00000030h]	13_2_04727794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0475D380 mov ecx, dword ptr fs:[00000030h]	13_2_0475D380
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2397 mov eax, dword ptr fs:[00000030h]	13_2_046D2397
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476138A mov eax, dword ptr fs:[00000030h]	13_2_0476138A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DB390 mov eax, dword ptr fs:[00000030h]	13_2_046DB390
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B8794 mov eax, dword ptr fs:[00000030h]	13_2_046B8794

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Code function: 5_2_0040ACF0 LdrLoadDll,

5_2_0040ACF0

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.paycheckstubonlin.com
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.171 80			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 1250000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Thread register set: target process: 3688			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 3688			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe C:\Users\user\Desktop\DHL WB# 2343640950.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe C:\Users\user\Desktop\DHL WB# 2343640950.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL WB# 2343640950.exe"	Jump to behavior

Source: explorer.exe, 00000008.00000000.473241868.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.541582387.000000000081C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.429858692.00000000058B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.473241868.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.452635282.0000000000778000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.541499450.0000000000778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.473241868.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.425347355.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.453676551.0000000000D70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.473241868.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.425347355.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.453676551.0000000000D70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Users\user\Desktop\DHL WB# 2343640950.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.53.179.171	www.paycheckstubonlin.com	Germany		61969	TEAMINTERNET-ASDE	false

Contacted Domains

Name	IP	Active
www.paycheckstubonlin.com	185.53.179.171	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.paycheckstubonlin.com/183b/?3f=0pQLi&GTWHLhf=aeRI+VtYzSQE3A1d41SuiJFmY5rxFnxGMgk+ebPO7waK3tnPCQEIkRgDBSC82MoPtV6fY2DLrg==	true	Avira URL Cloud: safe	unknown
www.studiomayuko.com/183b/	true	Avira URL Cloud: safe	low

AV Detection

Found malware configuration

Source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: DHL WB# 2343640950.exe	Virustotal: Detection: 47%			Perma Link
Source: DHL WB# 2343640950.exe	ReversingLabs: Detection: 21%

Yara detected FormBook

Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Uses 32bit PE files

Source: DHL WB# 2343640950.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DHL WB# 2343640950.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmstp.pdbGCTL source: DHL WB# 2343640950.exe, 00000005.00000002.512345140.0000000003740000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL WB# 2343640950.exe, 00000005.00000002.509487219.0000000001870000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.418665497.000000000153E000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000002.510678175.000000000198F000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.421562441.00000000016DC000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.510313145.0000000000EED000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.508015747.0000000000D46000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642289231.0000000004680000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642488316.000000000479F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL WB# 2343640950.exe, 00000005.00000002.509487219.0000000001870000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.418665497.000000000153E000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000002.510678175.000000000198F000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.421562441.00000000016DC000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000D.00000003.510313145.0000000000EED000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.508015747.0000000000D46000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642289231.0000000004680000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642488316.000000000479F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: DHL WB# 2343640950.exe, 00000005.00000002.512345140.0000000003740000.00000040.10000000.00040000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 4x nop then pop edi		5_2_0040E47A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi		13_2_0061E47A

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.paycheckstubonlin.com
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.171 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.studiomayuko.com/183b/

HTTP GET or POST without a user agent

Source: global traffic

Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.375029769.00000000055B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL WB# 2343640950.exe, 00000000.00000003.377133904.00000000055A7000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.377503899.00000000055A7000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378545531.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.376858559.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378033564.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.377574826.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378644300.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.376377568.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378324382.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.376750190.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.377095056.00000000055A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DHL WB# 2343640950.exe, 00000000.00000003.377133904.00000000055A7000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.377503899.00000000055A7000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378545531.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.380503275.00000000055A7000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.376858559.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.379031205.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378033564.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.377574826.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378644300.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.376377568.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.378324382.00000000055A8000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.381687286.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.376750190.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.377095056.00000000055A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comttp
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL WB# 2343640950.exe, 00000000.00000003.382147355.00000000055A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL WB# 2343640950.exe, 00000000.00000003.383046028.00000000055D4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.383254350.00000000055D4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.383176460.00000000055D4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.383369016.00000000055D4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.383430136.00000000055D4000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.383112465.00000000055D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL WB# 2343640950.exe, 00000000.00000003.382147355.00000000055A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: DHL WB# 2343640950.exe, 00000000.00000002.427545975.00000000055A0000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.420192767.00000000055A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrita
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: DHL WB# 2343640950.exe, 00000000.00000003.371964876.00000000055DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com8
Source: DHL WB# 2343640950.exe, 00000000.00000003.371854007.00000000055DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comT?
Source: DHL WB# 2343640950.exe, 00000000.00000003.374059324.00000000055AF000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL WB# 2343640950.exe, 00000000.00000003.374059324.00000000055AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn%
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL WB# 2343640950.exe, 00000000.00000003.386580488.00000000055E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DHL WB# 2343640950.exe, 00000000.00000003.371017515.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.370840690.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.370831210.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.370858429.00000000055DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DHL WB# 2343640950.exe, 00000000.00000003.371017515.00000000055DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com&
Source: DHL WB# 2343640950.exe, 00000000.00000003.371017515.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.370858429.00000000055DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com4
Source: DHL WB# 2343640950.exe, 00000000.00000003.370858429.00000000055DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comhy/
Source: DHL WB# 2343640950.exe, 00000000.00000003.371017515.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.370840690.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000000.00000003.370858429.00000000055DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comw
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL WB# 2343640950.exe, 00000000.00000002.427842888.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: www.paycheckstubonlin.com

Source: global traffic

Creates a DirectInput object (often for capturing keystrokes)

Source: DHL WB# 2343640950.exe, 00000000.00000002.421545726.0000000000A98000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.DHL WB# 2343640950.exe.6fd0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.DHL WB# 2343640950.exe.6fd0000.9.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.428458566.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: DHL WB# 2343640950.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe

Yara signature match

Source: 0.2.DHL WB# 2343640950.exe.6fd0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DHL WB# 2343640950.exe.6fd0000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.428458566.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_002B8791	0_2_002B8791
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257D15C	0_2_0257D15C
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257B094	0_2_0257B094
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257F5B2	0_2_0257F5B2
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257DB30	0_2_0257DB30
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257DB22	0_2_0257DB22
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 4_2_00278739	4_2_00278739
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 4_2_00278701	4_2_00278701
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041E85D	5_2_0041E85D
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041D863	5_2_0041D863
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041EBC3	5_2_0041EBC3
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041EBC6	5_2_0041EBC6
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041DD18	5_2_0041DD18
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00402D8C	5_2_00402D8C
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00409E60	5_2_00409E60
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00D88701	5_2_00D88701
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00D88739	5_2_00D88739
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761002	13_2_04761002
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B841F	13_2_046B841F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047720A8	13_2_047720A8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BB090	13_2_046BB090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04771D55	13_2_04771D55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A0D20	13_2_046A0D20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C4120	13_2_046C4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AF900	13_2_046AF900
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04772D07	13_2_04772D07
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BD5E0	13_2_046BD5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2581	13_2_046D2581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C6E30	13_2_046C6E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04772EF7	13_2_04772EF7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047722AE	13_2_047722AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04772B28	13_2_04772B28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04771FF1	13_2_04771FF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476DBD2	13_2_0476DBD2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DEBB0	13_2_046DEBB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062E85D	13_2_0062E85D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062EBC3	13_2_0062EBC3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062EBC6	13_2_0062EBC6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_00612D8C	13_2_00612D8C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_00612D90	13_2_00612D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_00619E60	13_2_00619E60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_00612FB0	13_2_00612FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: String function: 046AB150 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A360 NtCreateFile,	5_2_0041A360
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A410 NtReadFile,	5_2_0041A410
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A490 NtClose,	5_2_0041A490
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A540 NtAllocateVirtualMemory,	5_2_0041A540
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A35A NtCreateFile,	5_2_0041A35A
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A40A NtReadFile,	5_2_0041A40A
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A48A NtClose,	5_2_0041A48A
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041A542 NtAllocateVirtualMemory,	5_2_0041A542
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9860 NtQuerySystemInformation,LdrInitializeThunk,	13_2_046E9860
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9840 NtDelayExecution,LdrInitializeThunk,	13_2_046E9840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9540 NtReadFile,LdrInitializeThunk,	13_2_046E9540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_046E9910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E95D0 NtClose,LdrInitializeThunk,	13_2_046E95D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E99A0 NtCreateSection,LdrInitializeThunk,	13_2_046E99A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_046E9660
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9650 NtQueryValueKey,LdrInitializeThunk,	13_2_046E9650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9A50 NtCreateFile,LdrInitializeThunk,	13_2_046E9A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_046E96E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E96D0 NtCreateKey,LdrInitializeThunk,	13_2_046E96D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9710 NtQueryInformationToken,LdrInitializeThunk,	13_2_046E9710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9FE0 NtCreateMutant,LdrInitializeThunk,	13_2_046E9FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9780 NtMapViewOfSection,LdrInitializeThunk,	13_2_046E9780
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046EB040 NtSuspendThread,	13_2_046EB040
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9820 NtEnumerateKey,	13_2_046E9820
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E98F0 NtReadVirtualMemory,	13_2_046E98F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E98A0 NtWriteVirtualMemory,	13_2_046E98A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9560 NtWriteFile,	13_2_046E9560
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9950 NtQueueApcThread,	13_2_046E9950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9520 NtWaitForSingleObject,	13_2_046E9520
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046EAD30 NtSetContextThread,	13_2_046EAD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E95F0 NtQueryInformationFile,	13_2_046E95F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E99D0 NtCreateProcessEx,	13_2_046E99D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9670 NtQueryInformationProcess,	13_2_046E9670
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9A20 NtResumeThread,	13_2_046E9A20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9A00 NtProtectVirtualMemory,	13_2_046E9A00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9610 NtEnumerateValueKey,	13_2_046E9610
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9A10 NtQuerySection,	13_2_046E9A10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9A80 NtOpenDirectoryObject,	13_2_046E9A80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9760 NtOpenProcess,	13_2_046E9760
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9770 NtSetInformationFile,	13_2_046E9770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046EA770 NtOpenThread,	13_2_046EA770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9730 NtQueryVirtualMemory,	13_2_046E9730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E9B00 NtSetValueKey,	13_2_046E9B00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046EA710 NtOpenProcessToken,	13_2_046EA710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E97A0 NtUnmapViewOfSection,	13_2_046E97A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046EA3B0 NtGetContextThread,	13_2_046EA3B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A360 NtCreateFile,	13_2_0062A360
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A410 NtReadFile,	13_2_0062A410
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A490 NtClose,	13_2_0062A490
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A540 NtAllocateVirtualMemory,	13_2_0062A540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A35A NtCreateFile,	13_2_0062A35A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A40A NtReadFile,	13_2_0062A40A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A48A NtClose,	13_2_0062A48A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062A542 NtAllocateVirtualMemory,	13_2_0062A542

Sample file is different than original file name gathered from version info

Source: DHL WB# 2343640950.exe, 00000000.00000002.420496255.000000000035C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFixupD.exe@ vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIVectorView.dllN vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000000.00000002.428458566.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIVectorView.dllN vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000004.00000000.409784167.000000000031C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFixupD.exe@ vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000005.00000000.414092644.0000000000E2C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFixupD.exe@ vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000005.00000002.511874001.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000005.00000003.421990942.00000000017FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000005.00000003.418819728.0000000001654000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000005.00000002.512345140.0000000003740000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe, 00000005.00000002.510678175.000000000198F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL WB# 2343640950.exe
Source: DHL WB# 2343640950.exe	Binary or memory string: OriginalFilenameFixupD.exe@ vs DHL WB# 2343640950.exe

Source: DHL WB# 2343640950.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: DHL WB# 2343640950.exe	Virustotal: Detection: 47%
Source: DHL WB# 2343640950.exe	ReversingLabs: Detection: 21%

Source: DHL WB# 2343640950.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe "C:\Users\user\Desktop\DHL WB# 2343640950.exe"
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe C:\Users\user\Desktop\DHL WB# 2343640950.exe
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe C:\Users\user\Desktop\DHL WB# 2343640950.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL WB# 2343640950.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe C:\Users\user\Desktop\DHL WB# 2343640950.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe C:\Users\user\Desktop\DHL WB# 2343640950.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL WB# 2343640950.exe"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL WB# 2343640950.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/1@1/1

Source: DHL WB# 2343640950.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DHL WB# 2343640950.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL WB# 2343640950.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmstp.pdbGCTL source: DHL WB# 2343640950.exe, 00000005.00000002.512345140.0000000003740000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL WB# 2343640950.exe, 00000005.00000002.509487219.0000000001870000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.418665497.000000000153E000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000002.510678175.000000000198F000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.421562441.00000000016DC000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.510313145.0000000000EED000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.508015747.0000000000D46000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642289231.0000000004680000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642488316.000000000479F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL WB# 2343640950.exe, 00000005.00000002.509487219.0000000001870000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.418665497.000000000153E000.00000004.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000002.510678175.000000000198F000.00000040.00000800.00020000.00000000.sdmp, DHL WB# 2343640950.exe, 00000005.00000003.421562441.00000000016DC000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000D.00000003.510313145.0000000000EED000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.508015747.0000000000D46000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642289231.0000000004680000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.642488316.000000000479F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: DHL WB# 2343640950.exe, 00000005.00000002.512345140.0000000003740000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: DHL WB# 2343640950.exe, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.DHL WB# 2343640950.exe.2b0000.0.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.DHL WB# 2343640950.exe.2b0000.0.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL WB# 2343640950.exe.270000.2.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.DHL WB# 2343640950.exe.270000.0.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL WB# 2343640950.exe.270000.1.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL WB# 2343640950.exe.270000.3.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.DHL WB# 2343640950.exe.270000.0.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.DHL WB# 2343640950.exe.d80000.3.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.DHL WB# 2343640950.exe.d80000.7.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.DHL WB# 2343640950.exe.d80000.2.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.DHL WB# 2343640950.exe.d80000.9.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.DHL WB# 2343640950.exe.d80000.1.unpack, GothicCheckers/Form1.cs	.Net Code: EventSlim System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257F162 pushfd ; iretd	0_2_0257F1C1
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 0_2_0257F160 pushad ; iretd	0_2_0257F161
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041EA33 push cs; ret	5_2_0041EA34
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_00405AC2 push ecx; retf	5_2_00405AC7
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_004172E0 push FFFFFF83h; ret	5_2_004172F3
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0040E3AF push cs; retf	5_2_0040E3B1
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041E461 push dword ptr [BC323EF3h]; ret	5_2_0041E4F2
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041D4B5 push eax; ret	5_2_0041D508
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041D56C push eax; ret	5_2_0041D572
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041D502 push eax; ret	5_2_0041D508
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0041D50B push eax; ret	5_2_0041D572
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Code function: 5_2_0040C6BA push ecx; retf	5_2_0040C6BB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046FD0D1 push ecx; ret	13_2_046FD0E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062EA33 push cs; ret	13_2_0062EA34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_006272E0 push FFFFFF83h; ret	13_2_006272F3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_00615AC2 push ecx; retf	13_2_00615AC7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0061E3AF push cs; retf	13_2_0061E3B1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062E4A3 push dword ptr [BC323EF3h]; ret	13_2_0062E4F2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062D4B5 push eax; ret	13_2_0062D508
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062D56C push eax; ret	13_2_0062D572
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062D502 push eax; ret	13_2_0062D508
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062D50B push eax; ret	13_2_0062D572
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062DED8 push ss; ret	13_2_0062DED9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0062DEB0 push esi; retf	13_2_0062DEB1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0061C6BA push ecx; retf	13_2_0061C6BB

Source: initial sample

Static PE information: section name: .text entropy: 7.85849718872

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Windows\SysWOW64\cmstp.exe	Process created: /c del "C:\Users\user\Desktop\DHL WB# 2343640950.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: /c del "C:\Users\user\Desktop\DHL WB# 2343640950.exe"			Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xED

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL WB# 2343640950.exe PID: 7048, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DHL WB# 2343640950.exe, 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: DHL WB# 2343640950.exe, 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000000619904 second address: 000000000061990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000000619B7E second address: 0000000000619B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe TID: 7052	Thread sleep time: -43731s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe TID: 7100	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\cmstp.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Code function: 0_2_002BB65D rdtsc

0_2_002BB65D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\cmstp.exe

API coverage: 9.7 %

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Thread delayed: delay time: 43731			Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: DHL WB# 2343640950.exe, 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000008.00000000.434497528.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL WB# 2343640950.exe, 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000008.00000000.434708210.000000000807C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000008.00000000.434497528.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
Source: explorer.exe, 00000008.00000000.430072276.0000000006153000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000008.00000000.434708210.000000000807C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I
Source: explorer.exe, 00000008.00000000.434708210.000000000807C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000008.00000000.455709980.0000000004347000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}3
Source: explorer.exe, 00000008.00000000.476095288.00000000042EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^
Source: DHL WB# 2343640950.exe, 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000008.00000000.543849828.00000000042A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O
Source: DHL WB# 2343640950.exe, 00000000.00000002.423321322.0000000002797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Code function: 0_2_002BB65D rdtsc

0_2_002BB65D

Enables debug privileges

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process token adjusted: Debug	Jump to behavior

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C746D mov eax, dword ptr fs:[00000030h]	13_2_046C746D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04771074 mov eax, dword ptr fs:[00000030h]	13_2_04771074
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04762073 mov eax, dword ptr fs:[00000030h]	13_2_04762073
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473C450 mov eax, dword ptr fs:[00000030h]	13_2_0473C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473C450 mov eax, dword ptr fs:[00000030h]	13_2_0473C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DA44B mov eax, dword ptr fs:[00000030h]	13_2_046DA44B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C0050 mov eax, dword ptr fs:[00000030h]	13_2_046C0050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C0050 mov eax, dword ptr fs:[00000030h]	13_2_046C0050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h]	13_2_046D002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h]	13_2_046D002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h]	13_2_046D002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h]	13_2_046D002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h]	13_2_046D002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BB02A mov eax, dword ptr fs:[00000030h]	13_2_046BB02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BB02A mov eax, dword ptr fs:[00000030h]	13_2_046BB02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BB02A mov eax, dword ptr fs:[00000030h]	13_2_046BB02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BB02A mov eax, dword ptr fs:[00000030h]	13_2_046BB02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DBC2C mov eax, dword ptr fs:[00000030h]	13_2_046DBC2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04774015 mov eax, dword ptr fs:[00000030h]	13_2_04774015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04774015 mov eax, dword ptr fs:[00000030h]	13_2_04774015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04727016 mov eax, dword ptr fs:[00000030h]	13_2_04727016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04727016 mov eax, dword ptr fs:[00000030h]	13_2_04727016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04727016 mov eax, dword ptr fs:[00000030h]	13_2_04727016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h]	13_2_04761C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726C0A mov eax, dword ptr fs:[00000030h]	13_2_04726C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726C0A mov eax, dword ptr fs:[00000030h]	13_2_04726C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726C0A mov eax, dword ptr fs:[00000030h]	13_2_04726C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726C0A mov eax, dword ptr fs:[00000030h]	13_2_04726C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0477740D mov eax, dword ptr fs:[00000030h]	13_2_0477740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0477740D mov eax, dword ptr fs:[00000030h]	13_2_0477740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0477740D mov eax, dword ptr fs:[00000030h]	13_2_0477740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726CF0 mov eax, dword ptr fs:[00000030h]	13_2_04726CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726CF0 mov eax, dword ptr fs:[00000030h]	13_2_04726CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726CF0 mov eax, dword ptr fs:[00000030h]	13_2_04726CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A58EC mov eax, dword ptr fs:[00000030h]	13_2_046A58EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047614FB mov eax, dword ptr fs:[00000030h]	13_2_047614FB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04778CD6 mov eax, dword ptr fs:[00000030h]	13_2_04778CD6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h]	13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473B8D0 mov ecx, dword ptr fs:[00000030h]	13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h]	13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h]	13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h]	13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h]	13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E90AF mov eax, dword ptr fs:[00000030h]	13_2_046E90AF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h]	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h]	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h]	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h]	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h]	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h]	13_2_046D20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DF0BF mov ecx, dword ptr fs:[00000030h]	13_2_046DF0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DF0BF mov eax, dword ptr fs:[00000030h]	13_2_046DF0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DF0BF mov eax, dword ptr fs:[00000030h]	13_2_046DF0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9080 mov eax, dword ptr fs:[00000030h]	13_2_046A9080
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B849B mov eax, dword ptr fs:[00000030h]	13_2_046B849B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04723884 mov eax, dword ptr fs:[00000030h]	13_2_04723884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04723884 mov eax, dword ptr fs:[00000030h]	13_2_04723884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AC962 mov eax, dword ptr fs:[00000030h]	13_2_046AC962
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AB171 mov eax, dword ptr fs:[00000030h]	13_2_046AB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AB171 mov eax, dword ptr fs:[00000030h]	13_2_046AB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CC577 mov eax, dword ptr fs:[00000030h]	13_2_046CC577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CC577 mov eax, dword ptr fs:[00000030h]	13_2_046CC577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CB944 mov eax, dword ptr fs:[00000030h]	13_2_046CB944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CB944 mov eax, dword ptr fs:[00000030h]	13_2_046CB944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E3D43 mov eax, dword ptr fs:[00000030h]	13_2_046E3D43
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04723540 mov eax, dword ptr fs:[00000030h]	13_2_04723540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C7D50 mov eax, dword ptr fs:[00000030h]	13_2_046C7D50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04778D34 mov eax, dword ptr fs:[00000030h]	13_2_04778D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0472A537 mov eax, dword ptr fs:[00000030h]	13_2_0472A537
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C4120 mov eax, dword ptr fs:[00000030h]	13_2_046C4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C4120 mov eax, dword ptr fs:[00000030h]	13_2_046C4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C4120 mov eax, dword ptr fs:[00000030h]	13_2_046C4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C4120 mov eax, dword ptr fs:[00000030h]	13_2_046C4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C4120 mov ecx, dword ptr fs:[00000030h]	13_2_046C4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D4D3B mov eax, dword ptr fs:[00000030h]	13_2_046D4D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D4D3B mov eax, dword ptr fs:[00000030h]	13_2_046D4D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D4D3B mov eax, dword ptr fs:[00000030h]	13_2_046D4D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D513A mov eax, dword ptr fs:[00000030h]	13_2_046D513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D513A mov eax, dword ptr fs:[00000030h]	13_2_046D513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AAD30 mov eax, dword ptr fs:[00000030h]	13_2_046AAD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h]	13_2_046B3D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9100 mov eax, dword ptr fs:[00000030h]	13_2_046A9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9100 mov eax, dword ptr fs:[00000030h]	13_2_046A9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9100 mov eax, dword ptr fs:[00000030h]	13_2_046A9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04758DF1 mov eax, dword ptr fs:[00000030h]	13_2_04758DF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AB1E1 mov eax, dword ptr fs:[00000030h]	13_2_046AB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AB1E1 mov eax, dword ptr fs:[00000030h]	13_2_046AB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AB1E1 mov eax, dword ptr fs:[00000030h]	13_2_046AB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BD5E0 mov eax, dword ptr fs:[00000030h]	13_2_046BD5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BD5E0 mov eax, dword ptr fs:[00000030h]	13_2_046BD5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476FDE2 mov eax, dword ptr fs:[00000030h]	13_2_0476FDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476FDE2 mov eax, dword ptr fs:[00000030h]	13_2_0476FDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476FDE2 mov eax, dword ptr fs:[00000030h]	13_2_0476FDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476FDE2 mov eax, dword ptr fs:[00000030h]	13_2_0476FDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047341E8 mov eax, dword ptr fs:[00000030h]	13_2_047341E8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h]	13_2_04726DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h]	13_2_04726DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h]	13_2_04726DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726DC9 mov ecx, dword ptr fs:[00000030h]	13_2_04726DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h]	13_2_04726DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h]	13_2_04726DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D35A1 mov eax, dword ptr fs:[00000030h]	13_2_046D35A1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047251BE mov eax, dword ptr fs:[00000030h]	13_2_047251BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047251BE mov eax, dword ptr fs:[00000030h]	13_2_047251BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047251BE mov eax, dword ptr fs:[00000030h]	13_2_047251BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047251BE mov eax, dword ptr fs:[00000030h]	13_2_047251BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D61A0 mov eax, dword ptr fs:[00000030h]	13_2_046D61A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D61A0 mov eax, dword ptr fs:[00000030h]	13_2_046D61A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047269A6 mov eax, dword ptr fs:[00000030h]	13_2_047269A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D1DB5 mov eax, dword ptr fs:[00000030h]	13_2_046D1DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D1DB5 mov eax, dword ptr fs:[00000030h]	13_2_046D1DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D1DB5 mov eax, dword ptr fs:[00000030h]	13_2_046D1DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047705AC mov eax, dword ptr fs:[00000030h]	13_2_047705AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047705AC mov eax, dword ptr fs:[00000030h]	13_2_047705AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h]	13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h]	13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h]	13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h]	13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h]	13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DA185 mov eax, dword ptr fs:[00000030h]	13_2_046DA185
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2581 mov eax, dword ptr fs:[00000030h]	13_2_046D2581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2581 mov eax, dword ptr fs:[00000030h]	13_2_046D2581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2581 mov eax, dword ptr fs:[00000030h]	13_2_046D2581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2581 mov eax, dword ptr fs:[00000030h]	13_2_046D2581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CC182 mov eax, dword ptr fs:[00000030h]	13_2_046CC182
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DFD9B mov eax, dword ptr fs:[00000030h]	13_2_046DFD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DFD9B mov eax, dword ptr fs:[00000030h]	13_2_046DFD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2990 mov eax, dword ptr fs:[00000030h]	13_2_046D2990
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B766D mov eax, dword ptr fs:[00000030h]	13_2_046B766D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E927A mov eax, dword ptr fs:[00000030h]	13_2_046E927A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0475B260 mov eax, dword ptr fs:[00000030h]	13_2_0475B260
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0475B260 mov eax, dword ptr fs:[00000030h]	13_2_0475B260
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04778A62 mov eax, dword ptr fs:[00000030h]	13_2_04778A62
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h]	13_2_046CAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h]	13_2_046CAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h]	13_2_046CAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h]	13_2_046CAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h]	13_2_046CAE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476EA55 mov eax, dword ptr fs:[00000030h]	13_2_0476EA55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04734257 mov eax, dword ptr fs:[00000030h]	13_2_04734257
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9240 mov eax, dword ptr fs:[00000030h]	13_2_046A9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9240 mov eax, dword ptr fs:[00000030h]	13_2_046A9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9240 mov eax, dword ptr fs:[00000030h]	13_2_046A9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A9240 mov eax, dword ptr fs:[00000030h]	13_2_046A9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h]	13_2_046B7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h]	13_2_046B7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h]	13_2_046B7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h]	13_2_046B7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h]	13_2_046B7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h]	13_2_046B7E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E4A2C mov eax, dword ptr fs:[00000030h]	13_2_046E4A2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E4A2C mov eax, dword ptr fs:[00000030h]	13_2_046E4A2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0475FE3F mov eax, dword ptr fs:[00000030h]	13_2_0475FE3F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AE620 mov eax, dword ptr fs:[00000030h]	13_2_046AE620
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B8A0A mov eax, dword ptr fs:[00000030h]	13_2_046B8A0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AC600 mov eax, dword ptr fs:[00000030h]	13_2_046AC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AC600 mov eax, dword ptr fs:[00000030h]	13_2_046AC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AC600 mov eax, dword ptr fs:[00000030h]	13_2_046AC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D8E00 mov eax, dword ptr fs:[00000030h]	13_2_046D8E00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046C3A1C mov eax, dword ptr fs:[00000030h]	13_2_046C3A1C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DA61C mov eax, dword ptr fs:[00000030h]	13_2_046DA61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DA61C mov eax, dword ptr fs:[00000030h]	13_2_046DA61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A5210 mov eax, dword ptr fs:[00000030h]	13_2_046A5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A5210 mov ecx, dword ptr fs:[00000030h]	13_2_046A5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A5210 mov eax, dword ptr fs:[00000030h]	13_2_046A5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A5210 mov eax, dword ptr fs:[00000030h]	13_2_046A5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AAA16 mov eax, dword ptr fs:[00000030h]	13_2_046AAA16
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AAA16 mov eax, dword ptr fs:[00000030h]	13_2_046AAA16
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04761608 mov eax, dword ptr fs:[00000030h]	13_2_04761608
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B76E2 mov eax, dword ptr fs:[00000030h]	13_2_046B76E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2AE4 mov eax, dword ptr fs:[00000030h]	13_2_046D2AE4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D16E0 mov ecx, dword ptr fs:[00000030h]	13_2_046D16E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04778ED6 mov eax, dword ptr fs:[00000030h]	13_2_04778ED6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D36CC mov eax, dword ptr fs:[00000030h]	13_2_046D36CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2ACB mov eax, dword ptr fs:[00000030h]	13_2_046D2ACB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E8EC7 mov eax, dword ptr fs:[00000030h]	13_2_046E8EC7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0475FEC0 mov eax, dword ptr fs:[00000030h]	13_2_0475FEC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h]	13_2_046A52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h]	13_2_046A52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h]	13_2_046A52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h]	13_2_046A52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h]	13_2_046A52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04770EA5 mov eax, dword ptr fs:[00000030h]	13_2_04770EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04770EA5 mov eax, dword ptr fs:[00000030h]	13_2_04770EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04770EA5 mov eax, dword ptr fs:[00000030h]	13_2_04770EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047246A7 mov eax, dword ptr fs:[00000030h]	13_2_047246A7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BAAB0 mov eax, dword ptr fs:[00000030h]	13_2_046BAAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BAAB0 mov eax, dword ptr fs:[00000030h]	13_2_046BAAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DFAB0 mov eax, dword ptr fs:[00000030h]	13_2_046DFAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473FE87 mov eax, dword ptr fs:[00000030h]	13_2_0473FE87
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DD294 mov eax, dword ptr fs:[00000030h]	13_2_046DD294
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DD294 mov eax, dword ptr fs:[00000030h]	13_2_046DD294
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046ADB60 mov ecx, dword ptr fs:[00000030h]	13_2_046ADB60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BFF60 mov eax, dword ptr fs:[00000030h]	13_2_046BFF60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D3B7A mov eax, dword ptr fs:[00000030h]	13_2_046D3B7A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D3B7A mov eax, dword ptr fs:[00000030h]	13_2_046D3B7A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04778F6A mov eax, dword ptr fs:[00000030h]	13_2_04778F6A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046ADB40 mov eax, dword ptr fs:[00000030h]	13_2_046ADB40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046BEF40 mov eax, dword ptr fs:[00000030h]	13_2_046BEF40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04778B58 mov eax, dword ptr fs:[00000030h]	13_2_04778B58
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046AF358 mov eax, dword ptr fs:[00000030h]	13_2_046AF358
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A4F2E mov eax, dword ptr fs:[00000030h]	13_2_046A4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046A4F2E mov eax, dword ptr fs:[00000030h]	13_2_046A4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DE730 mov eax, dword ptr fs:[00000030h]	13_2_046DE730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473FF10 mov eax, dword ptr fs:[00000030h]	13_2_0473FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0473FF10 mov eax, dword ptr fs:[00000030h]	13_2_0473FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DA70E mov eax, dword ptr fs:[00000030h]	13_2_046DA70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DA70E mov eax, dword ptr fs:[00000030h]	13_2_046DA70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476131B mov eax, dword ptr fs:[00000030h]	13_2_0476131B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0477070D mov eax, dword ptr fs:[00000030h]	13_2_0477070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0477070D mov eax, dword ptr fs:[00000030h]	13_2_0477070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CF716 mov eax, dword ptr fs:[00000030h]	13_2_046CF716
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046CDBE9 mov eax, dword ptr fs:[00000030h]	13_2_046CDBE9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h]	13_2_046D03E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h]	13_2_046D03E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h]	13_2_046D03E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h]	13_2_046D03E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h]	13_2_046D03E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h]	13_2_046D03E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046E37F5 mov eax, dword ptr fs:[00000030h]	13_2_046E37F5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047253CA mov eax, dword ptr fs:[00000030h]	13_2_047253CA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_047253CA mov eax, dword ptr fs:[00000030h]	13_2_047253CA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D4BAD mov eax, dword ptr fs:[00000030h]	13_2_046D4BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D4BAD mov eax, dword ptr fs:[00000030h]	13_2_046D4BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D4BAD mov eax, dword ptr fs:[00000030h]	13_2_046D4BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04775BA5 mov eax, dword ptr fs:[00000030h]	13_2_04775BA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B1B8F mov eax, dword ptr fs:[00000030h]	13_2_046B1B8F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B1B8F mov eax, dword ptr fs:[00000030h]	13_2_046B1B8F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04727794 mov eax, dword ptr fs:[00000030h]	13_2_04727794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04727794 mov eax, dword ptr fs:[00000030h]	13_2_04727794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04727794 mov eax, dword ptr fs:[00000030h]	13_2_04727794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0475D380 mov ecx, dword ptr fs:[00000030h]	13_2_0475D380
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046D2397 mov eax, dword ptr fs:[00000030h]	13_2_046D2397
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_0476138A mov eax, dword ptr fs:[00000030h]	13_2_0476138A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046DB390 mov eax, dword ptr fs:[00000030h]	13_2_046DB390
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_046B8794 mov eax, dword ptr fs:[00000030h]	13_2_046B8794

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Code function: 5_2_0040ACF0 LdrLoadDll,

5_2_0040ACF0

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.paycheckstubonlin.com
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.171 80			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 1250000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Thread register set: target process: 3688			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 3688			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe C:\Users\user\Desktop\DHL WB# 2343640950.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Process created: C:\Users\user\Desktop\DHL WB# 2343640950.exe C:\Users\user\Desktop\DHL WB# 2343640950.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL WB# 2343640950.exe"	Jump to behavior

Source: explorer.exe, 00000008.00000000.473241868.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.541582387.000000000081C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.429858692.00000000058B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.473241868.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.452635282.0000000000778000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.541499450.0000000000778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.473241868.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.425347355.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.453676551.0000000000D70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.473241868.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.425347355.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.453676551.0000000000D70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Users\user\Desktop\DHL WB# 2343640950.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL WB# 2343640950.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.39fbeb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.DHL WB# 2343640950.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL WB# 2343640950.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL WB# 2343640950.exe.38555a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.508076221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508816712.00000000012F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425718736.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.493111927.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.425338191.0000000003855000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417761109.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.466672366.000000000EBB3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.417286385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641809703.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.508664053.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.640957593.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.641933655.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

ID:	635258
Product:	CloudBasic
Start time:	17:56:26
Start date:	27.05.2022
Sample:	DHL WB# 2343640950.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	81e4012e3036befd629438ace2e798e2
SHA1:	d5b34d7dd4d4255fd3279bdd99c98b9e760bb34c
SHA256:	bcd31729e663369b99fd178377977c5de078512046d2cb4b38c51d80d9801374
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Windows Analysis Report
DHL WB# 2343640950.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report DHL WB# 2343640950.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
DHL WB# 2343640950.exe