Loading ...

Play interactive tourEdit tour

Analysis Report DHL AWB TRACKING DETAILS.exe

Overview

General Information

Sample Name:DHL AWB TRACKING DETAILS.exe
Analysis ID:299586
MD5:9539c852eae0cdec4f4fa24ed5383fa2
SHA1:67ed5c94517ddb913275eb5f2d51bff869caa97f
SHA256:3a98a6f65a651d7fdc6b147ab1baceebcc31576fccb4ff4d7c516bcad6d7c20b
Tags:DHLexeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DHL AWB TRACKING DETAILS.exe (PID: 2912 cmdline: 'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe' MD5: 9539C852EAE0CDEC4F4FA24ED5383FA2)
    • DHL AWB TRACKING DETAILS.exe (PID: 2016 cmdline: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe MD5: 9539C852EAE0CDEC4F4FA24ED5383FA2)
      • schtasks.exe (PID: 6704 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1C57.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6932 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1F75.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • DHL AWB TRACKING DETAILS.exe (PID: 1492 cmdline: 'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe' 0 MD5: 9539C852EAE0CDEC4F4FA24ED5383FA2)
    • WerFault.exe (PID: 3064 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 872 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • dhcpmon.exe (PID: 5012 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 9539C852EAE0CDEC4F4FA24ED5383FA2)
    • dhcpmon.exe (PID: 4168 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 9539C852EAE0CDEC4F4FA24ED5383FA2)
  • dhcpmon.exe (PID: 6476 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 9539C852EAE0CDEC4F4FA24ED5383FA2)
    • dhcpmon.exe (PID: 5476 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 9539C852EAE0CDEC4F4FA24ED5383FA2)
    • dhcpmon.exe (PID: 5484 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 9539C852EAE0CDEC4F4FA24ED5383FA2)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.244.30.39"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.855465040.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.855465040.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000016.00000002.855465040.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000018.00000002.877633977.0000000003FC9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000018.00000002.877633977.0000000003FC9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x43575:$a: NanoCore
      • 0x435ce:$a: NanoCore
      • 0x4360b:$a: NanoCore
      • 0x43684:$a: NanoCore
      • 0x56d2f:$a: NanoCore
      • 0x56d44:$a: NanoCore
      • 0x56d79:$a: NanoCore
      • 0x6fd3b:$a: NanoCore
      • 0x6fd50:$a: NanoCore
      • 0x6fd85:$a: NanoCore
      • 0x435d7:$b: ClientPlugin
      • 0x43614:$b: ClientPlugin
      • 0x43f12:$b: ClientPlugin
      • 0x43f1f:$b: ClientPlugin
      • 0x56aeb:$b: ClientPlugin
      • 0x56b06:$b: ClientPlugin
      • 0x56b36:$b: ClientPlugin
      • 0x56d4d:$b: ClientPlugin
      • 0x56d82:$b: ClientPlugin
      • 0x6faf7:$b: ClientPlugin
      • 0x6fb12:$b: ClientPlugin
      Click to see the 53 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        10.2.DHL AWB TRACKING DETAILS.exe.50b0000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        Click to see the 15 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe, ProcessId: 2016, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1C57.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1C57.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe, ParentImage: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe, ParentProcessId: 2016, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1C57.tmp', ProcessId: 6704

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: DHL AWB TRACKING DETAILS.exe.2016.10.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.244.30.39"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 48%
        Multi AV Scanner detection for submitted fileShow sources
        Source: DHL AWB TRACKING DETAILS.exeReversingLabs: Detection: 48%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000016.00000002.855465040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.877633977.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.875826551.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.935141237.0000000005220000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.856829189.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.748621394.0000000004151000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.932659657.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.930877950.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.933287360.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.838795518.00000000045E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.746323107.00000000043B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.856976361.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.877516053.0000000002FC1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.841520176.0000000004381000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.862241586.0000000003E21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5484, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4168, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2912, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6476, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2016, type: MEMORY
        Source: Yara matchFile source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.DHL AWB TRACKING DETAILS.exe.5220000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.DHL AWB TRACKING DETAILS.exe.5220000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: DHL AWB TRACKING DETAILS.exeJoe Sandbox ML: detected
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 24.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: chinomso.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.4:49767 -> 185.244.30.39:7688
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownDNS traffic detected: queries for: chinomso.duckdns.org
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 00000014.00000003.771020930.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
        Source: DHL AWB TRACKING DETAILS.exe, 0000000A.00000002.933287360.00000000038D9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000016.00000002.855465040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.877633977.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.875826551.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.935141237.0000000005220000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.856829189.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.748621394.0000000004151000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.932659657.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.930877950.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.933287360.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.838795518.00000000045E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000003.746323107.00000000043B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.856976361.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.877516053.0000000002FC1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.841520176.0000000004381000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.862241586.0000000003E21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5484, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4168, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2912, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6476, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2016, type: MEMORY
        Source: Yara matchFile source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.DHL AWB TRACKING DETAILS.exe.5220000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.DHL AWB TRACKING DETAILS.exe.5220000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000016.00000002.855465040.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.855465040.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.877633977.0000000003FC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.875826551.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000018.00000002.875826551.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.935141237.0000000005220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.856829189.0000000002BD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.748621394.0000000004151000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.748621394.0000000004151000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.930877950.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.930877950.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.933287360.00000000038D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000003.838795518.00000000045E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000003.838795518.00000000045E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000003.746323107.00000000043B6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000003.746323107.00000000043B6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.856976361.0000000003BD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.934854207.00000000050B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000018.00000002.877516053.0000000002FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.841520176.0000000004381000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.841520176.0000000004381000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.862241586.0000000003E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.862241586.0000000003E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5484, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5484, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 4168, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 4168, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2912, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2912, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6476, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6476, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2016, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2016, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.50b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.5220000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.5220000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 2_2_0193A9A02_2_0193A9A0
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 2_2_019369302_2_01936930
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 2_2_019355302_2_01935530
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 2_2_019369202_2_01936920
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 10_2_062B004010_2_062B0040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A692017_2_016A6920
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A693017_2_016A6930
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A553017_2_016A5530
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016AA9A017_2_016AA9A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_013B693021_2_013B6930
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_013B553021_2_013B5530
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_013B692021_2_013B6920
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_013BA9A021_2_013BA9A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_050AE47122_2_050AE471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_050AE48022_2_050AE480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_050ABBD422_2_050ABBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_0164E47124_2_0164E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_0164E48024_2_0164E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_0164BBD424_2_0164BBD4
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 872
        Source: DHL AWB TRACKING DETAILS.exe, 00000002.00000000.665548143.0000000000E60000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_chinomso(1).exe4 vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000002.00000002.748563949.000000000329D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000002.00000002.748621394.0000000004151000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameYeduovm.dll4 vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 0000000A.00000003.750757904.0000000000CFD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLime_chinomso(1).exe4 vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 0000000A.00000002.931995646.0000000000C8A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 0000000A.00000002.935436223.0000000005E10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 0000000A.00000002.932659657.00000000028D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 0000000A.00000002.936047164.0000000006A00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 0000000A.00000002.933287360.00000000038D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 0000000A.00000002.933287360.00000000038D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000010.00000002.796136604.0000000005230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000010.00000000.758799186.00000000009B0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_chinomso(1).exe4 vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exeBinary or memory string: OriginalFilenameLime_chinomso(1).exe4 vs DHL AWB TRACKING DETAILS.exe
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
        Source: 00000016.00000002.855465040.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.855465040.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.877633977.0000000003FC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.875826551.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000018.00000002.875826551.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.935141237.0000000005220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.935141237.0000000005220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000016.00000002.856829189.0000000002BD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.748621394.0000000004151000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.748621394.0000000004151000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.930877950.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.930877950.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.933287360.00000000038D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000003.838795518.00000000045E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000003.838795518.00000000045E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000003.746323107.00000000043B6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000003.746323107.00000000043B6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.856976361.0000000003BD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.934854207.00000000050B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.934854207.00000000050B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000018.00000002.877516053.0000000002FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.841520176.0000000004381000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.841520176.0000000004381000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.862241586.0000000003E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000002.862241586.0000000003E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5484, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5484, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5012, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 4168, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 4168, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2912, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2912, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6476, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6476, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2016, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2016, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.50b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.50b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.5220000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.5220000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.5220000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.5220000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@19/12@16/2
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL AWB TRACKING DETAILS.exe.logJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_01
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1492
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{4a223959-2261-4b59-86e0-9a888be789a8}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1C57.tmpJump to behavior
        Source: DHL AWB TRACKING DETAILS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: DHL AWB TRACKING DETAILS.exeReversingLabs: Detection: 48%
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile read: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe 'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1C57.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1F75.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe 'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 872
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeJump to behavior
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1C57.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1F75.tmp'Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: DHL AWB TRACKING DETAILS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: DHL AWB TRACKING DETAILS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.766427928.000000000550D000.00000004.00000001.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.772316232.0000000005815000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.772201968.0000000005841000.00000004.00000001.sdmp
        Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000014.00000003.772244125.0000000005811000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000014.00000002.792316243.0000000005AC0000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.772201968.0000000005841000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.772201968.0000000005841000.00000004.00000001.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 00000014.00000003.772304100.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: b.pdb source: DHL AWB TRACKING DETAILS.exe, 0000000A.00000002.932024476.0000000000CB2000.00000004.00000020.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.772304100.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: fltLib.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.772201968.0000000005841000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.772201968.0000000005841000.00000004.00000001.sdmp
        Source: Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.772304100.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb\ source: WerFault.exe, 00000014.00000003.772244125.0000000005811000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.766810285.0000000003714000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.772316232.0000000005815000.00000004.00000040.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp, WER3ADB.tmp.dmp.20.dr
        Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.PDB source: DHL AWB TRACKING DETAILS.exe, 00000010.00000002.792997014.0000000000D5B000.00000004.00000010.sdmp
        Source: Binary string: DHL AWB TRACKING DETAILS.PDB source: DHL AWB TRACKING DETAILS.exe, 00000010.00000002.792997014.0000000000D5B000.00000004.00000010.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 00000014.00000003.772201968.0000000005841000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.772304100.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000014.00000003.772316232.0000000005815000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.772201968.0000000005841000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 00000014.00000003.772244125.0000000005811000.00000004.00000040.sdmp
        Source: Binary string: clrjit.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000014.00000003.772316232.0000000005815000.00000004.00000040.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: powrprof.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbRSDS source: WER3ADB.tmp.dmp.20.dr
        Source: Binary string: version.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000014.00000002.792316243.0000000005AC0000.00000004.00000001.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.772304100.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: shell32.pdbK source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000014.00000003.772244125.0000000005811000.00000004.00000040.sdmp, WER3ADB.tmp.dmp.20.dr
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.772201968.0000000005841000.00000004.00000001.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.772201968.0000000005841000.00000004.00000001.sdmp
        Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000014.00000003.772244125.0000000005811000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.772316232.0000000005815000.00000004.00000040.sdmp
        Source: Binary string: combase.pdbk source: WerFault.exe, 00000014.00000003.772316232.0000000005815000.00000004.00000040.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.772331603.0000000005818000.00000004.00000040.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 2_2_00D851AF push ds; retf 2_2_00D851B0
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 2_2_00D86F31 pushfd ; retf 2_2_00D86F32
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 2_2_019339D7 push FFFFFFB8h; retn 0000h2_2_019339E4
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 2_2_0193351A push FFFFFFB8h; retf 2_2_01933527
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 2_2_01934CA2 push FFFFFFBFh; iretd 2_2_01934CB8
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 2_2_0193472B push FFFFFFB8h; ret 2_2_01934739
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 2_2_0193535A push FFFFFFB8h; retf 2_2_01935367
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 2_2_0193421D push FFFFFFB8h; retn 0001h2_2_01934221
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 10_2_004F51AF push ds; retf 10_2_004F51B0
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 10_2_004F6F31 pushfd ; retf 10_2_004F6F32
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 16_2_008D51AF push ds; retf 16_2_008D51B0
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 16_2_008D6F31 pushfd ; retf 16_2_008D6F32
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00E251AF push ds; retf 17_2_00E251B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00E26F31 pushfd ; retf 17_2_00E26F32
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A3525 push FFFFFFB8h; retf 17_2_016A3527
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A5530 push 00000001h; ret 17_2_016A57BC
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A5530 push 00000001h; retf 17_2_016A5804
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A39E2 push FFFFFFB8h; retn 0000h17_2_016A39E4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A4CB6 push FFFFFFBFh; iretd 17_2_016A4CB8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A5365 push FFFFFFB8h; retf 17_2_016A5367
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A5779 push 00000001h; ret 17_2_016A57BC
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A4737 push FFFFFFB8h; ret 17_2_016A4739
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A57BD push 00000001h; retf 17_2_016A5804
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A421F push FFFFFFB8h; retn 0001h17_2_016A4221
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A5AFA push 00000001h; iretd 17_2_016A5AFC
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A1AA9 push 00000001h; iretd 17_2_016A1ABC
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_016A0A97 push 00000001h; retf 17_2_016A0AB8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_00AB51AF push ds; retf 21_2_00AB51B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_00AB6F31 pushfd ; retf 21_2_00AB6F32
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_013B3525 push FFFFFFB8h; retf 21_2_013B3527
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_013B39E2 push FFFFFFB8h; retn 0000h21_2_013B39E4
        Source: DHL AWB TRACKING DETAILS.exe, NhNJ1xJO6moRntLAe8/fIbByb3DhaZ1GxwXus.csHigh entropy of concatenated method names: 'fIb3BybDh', 'uZ1JGxwXu', 'IPhdNJ1xO', 'Cmo7RntLA', 'n83lMIwbd', 'BSvBB9Rnm', 'GhRW5Jm1D', '.ctor', 'KMurmA2gG', 'Ruqi6Ny2i'
        Source: DHL AWB TRACKING DETAILS.exe, QM0ZD3XnuxLtjy15gu/JkCFwj4tFGJU2FZ1PO.csHigh entropy of concatenated method names: 'BqQdkkAO7L', '.ctor', 'fbcUq2NGxW0w8p7pPll', 't4aJQmNgnJoVc5L2bmi', 'vn2Y21N8KKeLjOa1d4a', 'GHmHvvNFX9MjTOCtUEr', 'bQsHOeNlVrMN6P3ZhC1', 'FElGsQN3pXqe50jgC2G', 'UuLDF5N6KgUnKHGgVTB', 'BtUHUPNLpsWtMRgp2bS'
        Source: DHL AWB TRACKING DETAILS.exe, ROjXic3YIPkcswLeie4/m4f6kSzBZwptyeNxjr.csHigh entropy of concatenated method names: 'fWddy41xFI', '.ctor',