Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe

Overview

General Information

Sample Name:DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
Analysis ID:381836
MD5:d9b97229c1ffefb60c6c1abe86eeb720
SHA1:da1a7ae1a7a9ac98b024955ce4317522a5bdf744
SHA256:066cd9770911c86ad9b050f137ca0684413929fbd84a0cfb22013aa534d24523
Tags:DHLexe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:99
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe (PID: 6416 cmdline: 'C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe' MD5: D9B97229C1FFEFB60C6C1ABE86EEB720)
    • schtasks.exe (PID: 6928 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe (PID: 6976 cmdline: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe MD5: D9B97229C1FFEFB60C6C1ABE86EEB720)
      • schtasks.exe (PID: 7012 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp939B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5304 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5792 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: D9B97229C1FFEFB60C6C1ABE86EEB720)
  • dhcpmon.exe (PID: 6304 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: D9B97229C1FFEFB60C6C1ABE86EEB720)
    • schtasks.exe (PID: 6952 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmp9DB3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 7124 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: D9B97229C1FFEFB60C6C1ABE86EEB720)
    • dhcpmon.exe (PID: 7160 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: D9B97229C1FFEFB60C6C1ABE86EEB720)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "30fa397e-f04b-4185-b75b-392a4f17", "Group": "QUOTATION", "Domain1": "46.183.220.61", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4qRL3Dv9U6yo_YJzVNueLigr3DbGSqr8_$nTSKtZ2s=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x6943b:$a: NanoCore
      • 0x69494:$a: NanoCore
      • 0x694d1:$a: NanoCore
      • 0x6954a:$a: NanoCore
      • 0x6949d:$b: ClientPlugin
      • 0x694da:$b: ClientPlugin
      • 0x69dd8:$b: ClientPlugin
      • 0x69de5:$b: ClientPlugin
      • 0x5f593:$e: KeepAlive
      • 0x69925:$g: LogClientMessage
      • 0x698a5:$i: get_Connected
      • 0x59871:$j: #=q
      • 0x598a1:$j: #=q
      • 0x598dd:$j: #=q
      • 0x59905:$j: #=q
      • 0x59935:$j: #=q
      • 0x59965:$j: #=q
      • 0x59995:$j: #=q
      • 0x599c5:$j: #=q
      • 0x599e1:$j: #=q
      • 0x59a11:$j: #=q
      0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xe0f5:$a: NanoCore
          • 0xe105:$a: NanoCore
          • 0xe339:$a: NanoCore
          • 0xe34d:$a: NanoCore
          • 0xe38d:$a: NanoCore
          • 0xe154:$b: ClientPlugin
          • 0xe356:$b: ClientPlugin
          • 0xe396:$b: ClientPlugin
          • 0xe27b:$c: ProjectData
          • 0xec82:$d: DESCrypto
          • 0x1664e:$e: KeepAlive
          • 0x1463c:$g: LogClientMessage
          • 0x10837:$i: get_Connected
          • 0xefb8:$j: #=q
          • 0xefe8:$j: #=q
          • 0xf004:$j: #=q
          • 0xf034:$j: #=q
          • 0xf050:$j: #=q
          • 0xf06c:$j: #=q
          • 0xf09c:$j: #=q
          • 0xf0b8:$j: #=q
          27.2.dhcpmon.exe.3f805cc.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xd9ad:$x1: NanoCore.ClientPluginHost
          • 0xd9da:$x2: IClientNetworkHost
          Click to see the 32 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, ProcessId: 6976, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe' , ParentImage: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, ParentProcessId: 6416, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp', ProcessId: 6928

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "30fa397e-f04b-4185-b75b-392a4f17", "Group": "QUOTATION", "Domain1": "46.183.220.61", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4qRL3Dv9U6yo_YJzVNueLigr3DbGSqr8_$nTSKtZ2s=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeVirustotal: Detection: 15%Perma Link
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.381956927.00000000037E5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.471514022.00000000041E4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.489910498.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORY
          Source: Yara matchFile source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f805cc.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f805cc.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.427d1d8.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f7b796.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.427d1d8.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f84bf5.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\kySsoQgxcHO.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeJoe Sandbox ML: detected
          Source: 27.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 4x nop then jmp 078C5906h
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 4x nop then jmp 078C5906h
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 076A8D2Dh
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 076A8D2Dh
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 076A8D2Dh
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs:
          Source: Malware configuration extractorURLs: 46.183.220.61
          Source: global trafficTCP traffic: 192.168.2.6:49724 -> 46.183.220.61:4488
          Source: Joe Sandbox ViewASN Name: DATACLUBLV DATACLUBLV
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: unknownTCP traffic detected without corresponding DNS query: 46.183.220.61
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000003.409900594.000000000620F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: dhcpmon.exe, 00000010.00000003.415029902.000000000620F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: dhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: dhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
          Source: dhcpmon.exe, 00000010.00000003.411494947.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comL
          Source: dhcpmon.exe, 00000010.00000003.409900594.000000000620F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: dhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come
          Source: dhcpmon.exe, 00000010.00000003.409900594.000000000620F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita4
          Source: dhcpmon.exe, 00000010.00000003.425466653.0000000006210000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comita
          Source: dhcpmon.exe, 00000010.00000003.409900594.000000000620F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml
          Source: dhcpmon.exe, 00000010.00000003.425466653.0000000006210000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlique
          Source: dhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comr
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: dhcpmon.exe, 00000010.00000003.421492950.0000000006211000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000003.420843716.0000000006211000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000003.420843716.0000000006211000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000003.407162006.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: dhcpmon.exe, 00000010.00000003.407162006.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
          Source: dhcpmon.exe, 00000010.00000003.407162006.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378100903.000000000084B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: dhcpmon.exe, 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.381956927.00000000037E5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.471514022.00000000041E4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.489910498.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORY
          Source: Yara matchFile source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f805cc.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f805cc.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.427d1d8.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f7b796.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.427d1d8.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f84bf5.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.381956927.00000000037E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.381956927.00000000037E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000011.00000002.471514022.00000000041E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000011.00000002.471514022.00000000041E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001B.00000002.489910498.0000000003F39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 27.2.dhcpmon.exe.3f805cc.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 27.2.dhcpmon.exe.2f9965c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 27.2.dhcpmon.exe.3f805cc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.dhcpmon.exe.427d1d8.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.dhcpmon.exe.427d1d8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 27.2.dhcpmon.exe.3f7b796.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 27.2.dhcpmon.exe.3f7b796.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 17.2.dhcpmon.exe.427d1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.dhcpmon.exe.427d1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 27.2.dhcpmon.exe.3f84bf5.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E2FAC NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E2F4F NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C150A8
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C14920
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C127E8
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C17F54
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C15728
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C15099
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C16188
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C16198
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C14910
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C15A98
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C16548
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C16558
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C127E6
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C16780
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C1075B
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C10768
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C15719
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C1672C
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C24840
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C2F4F0
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C2BDD0
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C24830
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C29340
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C29350
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E15E8
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E4608
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055EF048
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E5070
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E1348
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E3DB8
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E5EE0
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055EB9C8
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055EE8B0
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E45FA
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E8452
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E8460
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E47F0
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E8618
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E8628
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E9158
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E913E
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E81DA
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E81E8
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E5060
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E1338
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E3218
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E3208
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055EF2E8
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E3D18
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E5DD1
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E3D95
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E6DB0
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E6DA9
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E7C40
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E7C30
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E7FB0
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E7FA0
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E5EB9
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E7940
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E7932
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_014C4840
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_014C4830
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_014CC8A4
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_014CEB89
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_014CEB98
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_056A4710
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_056A4702
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_056ADA7F
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_056ADA90
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_078CAE88
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_078C4C60
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_078C5FE0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02F14840
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02F1EB98
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02F1EB89
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02F1C8A4
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02F14830
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_076A17D0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_076ABE68
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_076A4850
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_076ADF88
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0160C3E8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_01604840
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0160F4F0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_01609F10
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_01604830
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_01609340
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_01609350
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_01609318
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_01609F00
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F9721C
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F94920
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F927E8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F95390
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F95381
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F95978
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F95924
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F94910
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F927D8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F90768
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F90759
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F95750
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F9573F
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: kySsoQgxcHO.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: kySsoQgxcHO.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: dhcpmon.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: dhcpmon.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000003.350154316.000000000BB48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncCallback.exe> vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378434717.0000000000C00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.385474156.0000000005820000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.385977972.000000000BAB0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.386074442.000000000BB10000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.386074442.000000000BB10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000007.00000003.389908057.000000000103C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncCallback.exe> vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000007.00000003.394358669.0000000001052000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000000.387738474.0000000000D98000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAsyncCallback.exe> vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.465025738.00000000078D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.457898124.00000000014DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.466196572.00000000079C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeBinary or memory string: OriginalFilenameAsyncCallback.exe> vs DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.381956927.00000000037E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.381956927.00000000037E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000011.00000002.471514022.00000000041E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000011.00000002.471514022.00000000041E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001B.00000002.489910498.0000000003F39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 27.2.dhcpmon.exe.3f805cc.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 27.2.dhcpmon.exe.3f805cc.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 27.2.dhcpmon.exe.2f9965c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 27.2.dhcpmon.exe.2f9965c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 27.2.dhcpmon.exe.3f805cc.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 27.2.dhcpmon.exe.3f805cc.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.dhcpmon.exe.427d1d8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 17.2.dhcpmon.exe.427d1d8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.dhcpmon.exe.427d1d8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 27.2.dhcpmon.exe.3f7b796.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 27.2.dhcpmon.exe.3f7b796.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 27.2.dhcpmon.exe.3f7b796.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 17.2.dhcpmon.exe.427d1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 17.2.dhcpmon.exe.427d1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.dhcpmon.exe.427d1d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 27.2.dhcpmon.exe.3f84bf5.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 27.2.dhcpmon.exe.3f84bf5.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: kySsoQgxcHO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.7.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal99.troj.evad.winEXE@22/17@0/1
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeFile created: C:\Users\user\AppData\Roaming\kySsoQgxcHO.exeJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\pQYpSgYoAPoUDgWDtbUnxwuNFy
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{30fa397e-f04b-4185-b75b-392a4f177f00}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE715.tmpJump to behavior
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeVirustotal: Detection: 15%
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeFile read: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe 'C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe'
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp939B.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp'
          Source: unknownProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe 0
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmp9DB3.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp'
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp939B.tmp'
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmp9DB3.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeAutomated click: OK
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAutomated click: OK
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_00C1A0DD push FFFFFF8Bh; iretd
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E58C4 push ebp; ret
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 0_2_055E58BA push ebp; ret
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_014C8528 push eax; retf
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_078C02C4 push esp; iretd
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeCode function: 12_2_078C02E0 push esp; iretd
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02F18528 push eax; retf
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02F993A5 push FFFFFF8Bh; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.80961870393
          Source: initial sampleStatic PE information: section name: .text entropy: 7.80961870393
          Source: initial sampleStatic PE information: section name: .text entropy: 7.80961870393
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeFile created: C:\Users\user\AppData\Roaming\kySsoQgxcHO.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeFile opened: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe PID: 6416, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6304, type: MEMORY
          Source: Yara matchFile source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.262b27c.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.302b1cc.1.raw.unpack, type: UNPACKEDPE
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWindow / User API: threadDelayed 5214
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWindow / User API: threadDelayed 3143
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWindow / User API: foregroundWindowGot 506
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWindow / User API: foregroundWindowGot 445
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe TID: 6420Thread sleep time: -101537s >= -30000s
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe TID: 6440Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe TID: 5972Thread sleep time: -10145709240540247s >= -30000s
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe TID: 6236Thread sleep time: -260000s >= -30000s
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe TID: 3068Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6208Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6488Thread sleep time: -104936s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6612Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6428Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeThread delayed: delay time: 101537
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 104936
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.465025738.00000000078D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464199907.0000000007460000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.465025738.00000000078D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464199907.0000000007460000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.465025738.00000000078D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464199907.0000000007460000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.465025738.00000000078D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464199907.0000000007460000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess token adjusted: Debug
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeMemory written: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe base: 400000 value starts with: 4D5A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp'
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp939B.tmp'
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmp9DB3.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.381956927.00000000037E5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.471514022.00000000041E4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.489910498.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORY
          Source: Yara matchFile source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f805cc.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f805cc.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.427d1d8.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f7b796.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.427d1d8.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f84bf5.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000007.00000003.394358669.0000000001052000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.381956927.00000000037E5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.471514022.00000000041E4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.489910498.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORY
          Source: Yara matchFile source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f805cc.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f805cc.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.427d1d8.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f7b796.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.427d1d8.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.dhcpmon.exe.3f84bf5.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.387dd08.4.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection111Masquerading2Input Capture21Query Registry1Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 381836 Sample: DHL_Express_Shipment_Confir... Startdate: 05/04/2021 Architecture: WINDOWS Score: 99 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Sigma detected: Scheduled temp file as task from temp location 2->63 65 9 other signatures 2->65 8 DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe 7 2->8         started        12 dhcpmon.exe 2->12         started        14 dhcpmon.exe 5 2->14         started        16 DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe 4 2->16         started        process3 file4 49 C:\Users\user\AppData\...\kySsoQgxcHO.exe, PE32 8->49 dropped 51 C:\Users\...\kySsoQgxcHO.exe:Zone.Identifier, ASCII 8->51 dropped 53 C:\Users\user\AppData\Local\...\tmpE715.tmp, XML 8->53 dropped 55 DHL_Express_Shipme...8700456XXXX.exe.log, ASCII 8->55 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 8->69 71 Injects a PE file into a foreign processes 8->71 18 DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe 1 15 8->18         started        23 schtasks.exe 1 8->23         started        25 schtasks.exe 12->25         started        27 dhcpmon.exe 12->27         started        29 dhcpmon.exe 12->29         started        signatures5 process6 dnsIp7 57 46.183.220.61, 4488, 49724, 49725 DATACLUBLV Latvia 18->57 43 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->43 dropped 45 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->45 dropped 47 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->47 dropped 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 31 schtasks.exe 1 18->31         started        33 schtasks.exe 1 18->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        file8 signatures9 process10 process11 39 conhost.exe 31->39         started        41 conhost.exe 33->41         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe15%VirustotalBrowse
          DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe2%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
          DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\kySsoQgxcHO.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe2%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
          C:\Users\user\AppData\Roaming\kySsoQgxcHO.exe2%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          27.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          0%Avira URL Cloudsafe
          http://www.fontbureau.comL0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.fontbureau.comI.TTF0%URL Reputationsafe
          http://www.fontbureau.comI.TTF0%URL Reputationsafe
          http://www.fontbureau.comI.TTF0%URL Reputationsafe
          http://www.fontbureau.comI.TTF0%URL Reputationsafe
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/V0%Avira URL Cloudsafe
          http://www.fontbureau.comita0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/O0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/O0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/O0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.fontbureau.come0%Avira URL Cloudsafe
          http://www.fontbureau.comr0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.fontbureau.comgrita40%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.fontbureau.comlique0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          46.183.220.610%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          true
          • Avira URL Cloud: safe
          		low
          46.183.220.61true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.comDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000003.409900594.000000000620F000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.comLdhcpmon.exe, 00000010.00000003.411494947.0000000006223000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/dhcpmon.exe, 00000010.00000003.421492950.0000000006211000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000003.420843716.0000000006211000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comI.TTFdhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comFdhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/?DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                  		high
                  http://www.jiyu-kobo.co.jp/Vdhcpmon.exe, 00000010.00000003.407162006.0000000006223000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.comitadhcpmon.exe, 00000010.00000003.425466653.0000000006210000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.founder.com.cn/cn/bTheDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpfalse
                    		high
                    http://www.jiyu-kobo.co.jp/Odhcpmon.exe, 00000010.00000003.407162006.0000000006223000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.tiro.comdhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersdhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.krDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comadhcpmon.exe, 00000010.00000003.409900594.000000000620F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comlDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTheDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comldhcpmon.exe, 00000010.00000003.409900594.000000000620F000.00000004.00000001.sdmpfalse
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000003.420843716.0000000006211000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comedhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmldhcpmon.exe, 00000010.00000003.415029902.000000000620F000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.comrdhcpmon.exe, 00000010.00000003.416436034.0000000006222000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000003.407162006.0000000006223000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comgrita4dhcpmon.exe, 00000010.00000003.409900594.000000000620F000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fonts.comDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.464862697.0000000008122000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comliquedhcpmon.exe, 00000010.00000003.425466653.0000000006210000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.comDHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe, 0000000C.00000002.463251639.0000000006210000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.463357426.00000000062E0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      46.183.220.61
                                      		unknownLatvia
                                      		52048DATACLUBLVtrue

                                      General Information

                                      Joe Sandbox Version:31.0.0 Emerald
                                      Analysis ID:381836
                                      Start date:05.04.2021
                                      Start time:08:38:31
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 14m 10s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:37
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal99.troj.evad.winEXE@22/17@0/1
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 0% (good quality ratio 0%)
                                      • Quality average: 34.5%
                                      • Quality standard deviation: 34.5%
                                      HCA Information:
                                      • Successful, ratio: 95%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                      • TCP Packets have been reduced to 100
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      08:39:23API Interceptor769x Sleep call for process: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe modified
                                      08:39:46AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                      08:39:49Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe" s>$(Arg0)
                                      08:39:52Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                      08:40:03API Interceptor1x Sleep call for process: dhcpmon.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      46.183.220.61DHLExpressShipmentConfirmationBJC400618092909.exeGet hashmaliciousBrowse

                                        Domains

                                        No context

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        DATACLUBLVDHLExpressShipmentConfirmationBJC400618092909.exeGet hashmaliciousBrowse
                                        • 46.183.220.61
                                        rvqFBwFrGxXFF29.exeGet hashmaliciousBrowse
                                        • 84.38.130.171
                                        Richiesta offerta 030321.xlsxGet hashmaliciousBrowse
                                        • 46.183.222.6
                                        SecuriteInfo.com.Variant.Bulz.378233.24136.exeGet hashmaliciousBrowse
                                        • 46.183.223.110
                                        Precios Subasta hoy VENALCADI.xlsxGet hashmaliciousBrowse
                                        • 46.183.222.56
                                        Purchase Order.xlsxGet hashmaliciousBrowse
                                        • 46.183.222.56
                                        Order E51870.docGet hashmaliciousBrowse
                                        • 84.38.135.136
                                        Specification lista.docGet hashmaliciousBrowse
                                        • 84.38.135.136
                                        Greenkeeper Iberia S.L._Products Inquiry.docGet hashmaliciousBrowse
                                        • 46.183.220.125
                                        Invoice-30042020.docGet hashmaliciousBrowse
                                        • 46.183.220.125
                                        RFQ.docGet hashmaliciousBrowse
                                        • 46.183.220.125
                                        New Order 0012.docGet hashmaliciousBrowse
                                        • 46.183.220.125
                                        Walaa-Qasem-resume 2.docGet hashmaliciousBrowse
                                        • 46.183.220.125
                                        payment invoice.docGet hashmaliciousBrowse
                                        • 84.38.135.158
                                        swift.docGet hashmaliciousBrowse
                                        • 84.38.135.158
                                        Walaa-Qasem-resume 2.docGet hashmaliciousBrowse
                                        • 84.38.135.158
                                        2020_SOA_Payment_21Dec2020.docGet hashmaliciousBrowse
                                        • 84.38.135.158
                                        Statement.docGet hashmaliciousBrowse
                                        • 84.38.135.158
                                        Quote Requirement.docGet hashmaliciousBrowse
                                        • 84.38.135.158
                                        New order.docGet hashmaliciousBrowse
                                        • 84.38.135.158

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Program Files (x86)\DHCP Monitor\Error Logs\20210405_Error_Log.txt
                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):868
                                        Entropy (8bit):5.171217478584616
                                        Encrypted:false
                                        SSDEEP:12:pIvHfvfUUd3M1rQ19w0Ud3MbeYKkw/4tYEkud3VohEyrLON11W4E/PUrL0:pYHnB2r4CvBmKko9WduhdrC7U4APUrw
                                        MD5:7D8AFC1C165BCEB21BAA8499EA58E222
                                        SHA1:D30AF5677B25BAA2696E8151AB4897B0D07F7864
                                        SHA-256:67AC7B89C2E435E1A5504651DFAA85E63BD63A3E4B506247954AE6FE1A4CA91C
                                        SHA-512:1ECBE5B228BDBDF9741110484CBFEC78587FA770D76F6B6F64DF0A4260B0DDFD6840CE91BC7D7204F3E99596237269B4C339CAD0A18CD2973DD2041BB029E81B
                                        Malicious:false
                                        Reputation:low
                                        Preview: #05/04/2021 08:40:21 - Application Launch:System.IO.FileNotFoundException: Could not load file or assembly 'ExpTreeLib, Version=2.0.2210.18074, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified...File name: 'ExpTreeLib, Version=2.0.2210.18074, Culture=neutral, PublicKeyToken=null'.. at File_System_Controls.Main_Screen..ctor(Splash_Screen splash, String Base_Folder, String Base_Title).. at File_System_Controls.Startup_Module.main(String[] args)....WRN: Assembly binding logging is turned OFF...To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1...Note: There is some performance penalty associated with assembly bind failure logging...To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].....
                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):1013760
                                        Entropy (8bit):7.690187102088683
                                        Encrypted:false
                                        SSDEEP:12288:+Owldk/VrgYFofcnJN4GMLPl/el40p5ht7wQiCIoDVgGU20Te6cifUAVW8HvSrmn:qldkpmUJOVh/el40LsCIgU1NhrV5DR
                                        MD5:D9B97229C1FFEFB60C6C1ABE86EEB720
                                        SHA1:DA1A7AE1A7A9AC98B024955CE4317522A5BDF744
                                        SHA-256:066CD9770911C86AD9B050F137CA0684413929FBD84A0CFB22013AA534D24523
                                        SHA-512:FE428BA5DD490DD3FE4C0A8B2FB5C2ED03A4332FE8402353108134CD088960C1DB2CF96BA292A0CD56C59F56BFE9B354121C52A13DC48F68A12881631ED73A49
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 2%
                                        Reputation:low
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9]j`..............P..F...0.......d... ........... ....................................@..................................c..O........-........................................................................... ............... ..H............text....D... ...F.................. ..`.rsrc....-...........H..............@..@.reloc...............v..............@..B.................c......H.......8...T............R..0.............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r?..p~....o-...(......t$....+..*...0..&........(....rQ..p~....o-...(......
                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview: [ZoneTransfer]....ZoneId=0
                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe.log
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLV1qE4x84qpE4Ks29E4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:Mp1qHxv2HKX9HKnYHKhQnoPtHoxHhAHY
                                        MD5:7A13391722DD211EE965864ED695F98F
                                        SHA1:A2727064E64CEC2E4D920CE2556E0F80C4340118
                                        SHA-256:02C8A784C2BC2DF26F7368393709DD0ADDE74A0570A71DC8265FB34565AE0D27
                                        SHA-512:B7912F859C9EC50AD02176C32988C79707F97B80F8240D32BD348DF7658777D06CB68B9A23BE96736B100A51507B41E8620CC4E84C2DC39327E54DF10868474B
                                        Malicious:true
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLV1qE4x84qpE4Ks29E4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:Mp1qHxv2HKX9HKnYHKhQnoPtHoxHhAHY
                                        MD5:7A13391722DD211EE965864ED695F98F
                                        SHA1:A2727064E64CEC2E4D920CE2556E0F80C4340118
                                        SHA-256:02C8A784C2BC2DF26F7368393709DD0ADDE74A0570A71DC8265FB34565AE0D27
                                        SHA-512:B7912F859C9EC50AD02176C32988C79707F97B80F8240D32BD348DF7658777D06CB68B9A23BE96736B100A51507B41E8620CC4E84C2DC39327E54DF10868474B
                                        Malicious:false
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                        C:\Users\user\AppData\Local\Temp\tmp939B.tmp
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1354
                                        Entropy (8bit):5.190868109213372
                                        Encrypted:false
                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0V+xtn:cbk4oL600QydbQxIYODOLedq3bj
                                        MD5:5BE6EFB19614AE9356067B1512050486
                                        SHA1:AD393D16C5794AEA329D0D6E46E0EFE3F6F9A5EB
                                        SHA-256:3724BE253103531F3ACA4D9EA6F7F107E303222472655D358DFAB421ED33314A
                                        SHA-512:0141322A118AEFBB11FCC6C3B0916F24FF91FE6BDAB03E6A2DFFE99947F61F72C3332824721F8EF3BB2D3ACA8282C985FF6371DB6DC47F75B168A1F019D598C3
                                        Malicious:false
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                        C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1310
                                        Entropy (8bit):5.109425792877704
                                        Encrypted:false
                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                        MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                        SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                        SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                        SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                        Malicious:false
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                        C:\Users\user\AppData\Local\Temp\tmp9DB3.tmp
                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1656
                                        Entropy (8bit):5.1598206040497745
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Itn:cbha7JlNQV/rydbz9I3YODOLNdq3k
                                        MD5:31FE4BE0D65FCD45654BC74FD483C77A
                                        SHA1:20153C1FC31538A188F592FBBD2D4492157AEC3C
                                        SHA-256:9DBF54FD4752E0E580C98FD39F385A734189323442A0FEB255E664523660C6AC
                                        SHA-512:6B00B797CC6550DC990D8E2ADD99F452AF620ABA8D58E538BCFBC0858ADC2035801E2FB29A06502CF1BB0F795644E11DB55F20F41DE2BBF6922E33D011D98133
                                        Malicious:false
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                        C:\Users\user\AppData\Local\Temp\tmpE715.tmp
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1656
                                        Entropy (8bit):5.1598206040497745
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Itn:cbha7JlNQV/rydbz9I3YODOLNdq3k
                                        MD5:31FE4BE0D65FCD45654BC74FD483C77A
                                        SHA1:20153C1FC31538A188F592FBBD2D4492157AEC3C
                                        SHA-256:9DBF54FD4752E0E580C98FD39F385A734189323442A0FEB255E664523660C6AC
                                        SHA-512:6B00B797CC6550DC990D8E2ADD99F452AF620ABA8D58E538BCFBC0858ADC2035801E2FB29A06502CF1BB0F795644E11DB55F20F41DE2BBF6922E33D011D98133
                                        Malicious:true
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2088
                                        Entropy (8bit):7.024371743172393
                                        Encrypted:false
                                        SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCe
                                        MD5:0D6805D12813A857D50D42D6EE2CCAB0
                                        SHA1:78D83F009D842F21FE2AB0EAFFD00E5AAD1776F4
                                        SHA-256:182E0F8AA959549D61C66D049645BA8445D86AEAD2B8C3552A9836FA1E5BD484
                                        SHA-512:5B29496F3AB3CCB915CF37042F4956BB00E577B5F15457A5A739BE1BD50C481FB7E3297EED575DCA7A7BD30ECBC140DD3666CD7DEDD25DFB7AEB41A1B5BEDA4A
                                        Malicious:false
                                        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:Non-ISO extended-ASCII text
                                        Category:dropped
                                        Size (bytes):8
                                        Entropy (8bit):3.0
                                        Encrypted:false
                                        SSDEEP:3:tf8P:VM
                                        MD5:B8E299615B6C2D82676A8DC7FF41243B
                                        SHA1:5BD1450898ECA9B6B6B0D9D7739DCF247139E8EF
                                        SHA-256:A885B3F8AF56FC072901193B7A25014958B3F4CA2EA14A35B87F1DAE9BCB4BBA
                                        SHA-512:44EA9E384AC6B4B71337FADCC937F6A7B562EA62EBEB8D8581B84932569059F0C56B1F304394440802F3AD7B04D92D2EA520B974F801D6C47BB23B87A47C08E6
                                        Malicious:true
                                        Preview: U=..I..H
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):40
                                        Entropy (8bit):5.221928094887364
                                        Encrypted:false
                                        SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
                                        MD5:AE0F5E6CE7122AF264EC533C6B15A27B
                                        SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
                                        SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
                                        SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
                                        Malicious:false
                                        Preview: 9iH...}Z.4..f..... 8.j....|.&X..e.F.*.
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):327432
                                        Entropy (8bit):7.99938831605763
                                        Encrypted:true
                                        SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                        MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                        SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                        SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                        SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                        Malicious:false
                                        Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):91
                                        Entropy (8bit):4.90573193713098
                                        Encrypted:false
                                        SSDEEP:3:oNN2+WhtU10VpXWPavtMMVc6fSVUT99jACn:oNN2RIqVpXWmww78Cn
                                        MD5:B2D1BF3A6CD4F6D29CCFF0B7B156A931
                                        SHA1:30B60177A772374349130C40D4AF6CE35C0D069F
                                        SHA-256:2DB323A7E3A0F265880D7BF2D05FC34CD0832225DB92C2F4A5C2649D2B159C18
                                        SHA-512:DDCF3F9F84CCA9B6BFC3246C92BE4B3E1E8B898C1656E96F2E1EEC19C879A8A31FDA06DB1793B2D6C1EF906ED8C1CAC64BE8A308FDCBD3DE15514D93F9B24533
                                        Malicious:false
                                        Preview: C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        C:\Users\user\AppData\Roaming\kySsoQgxcHO.exe
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):1013760
                                        Entropy (8bit):7.690187102088683
                                        Encrypted:false
                                        SSDEEP:12288:+Owldk/VrgYFofcnJN4GMLPl/el40p5ht7wQiCIoDVgGU20Te6cifUAVW8HvSrmn:qldkpmUJOVh/el40LsCIgU1NhrV5DR
                                        MD5:D9B97229C1FFEFB60C6C1ABE86EEB720
                                        SHA1:DA1A7AE1A7A9AC98B024955CE4317522A5BDF744
                                        SHA-256:066CD9770911C86AD9B050F137CA0684413929FBD84A0CFB22013AA534D24523
                                        SHA-512:FE428BA5DD490DD3FE4C0A8B2FB5C2ED03A4332FE8402353108134CD088960C1DB2CF96BA292A0CD56C59F56BFE9B354121C52A13DC48F68A12881631ED73A49
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 2%
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9]j`..............P..F...0.......d... ........... ....................................@..................................c..O........-........................................................................... ............... ..H............text....D... ...F.................. ..`.rsrc....-...........H..............@..@.reloc...............v..............@..B.................c......H.......8...T............R..0.............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r?..p~....o-...(......t$....+..*...0..&........(....rQ..p~....o-...(......
                                        C:\Users\user\AppData\Roaming\kySsoQgxcHO.exe:Zone.Identifier
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview: [ZoneTransfer]....ZoneId=0
                                        C:\Users\user\Desktop\Error Logs\20210405_Error_Log.txt
                                        Process:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):868
                                        Entropy (8bit):5.170268062969907
                                        Encrypted:false
                                        SSDEEP:12:PvHfvfUUd3M1rQ19w0Ud3MbeYKkw/4tYEkud3VohEyrLON11W4E/PUrL0:3HnB2r4CvBmKko9WduhdrC7U4APUrw
                                        MD5:F7A14E2FE36621A86312BD40D628488B
                                        SHA1:D26B78B68ED4F091253AE9982DDFA05069FCC3F3
                                        SHA-256:8B16CC139E9A6A75CC1B1CDC4BAFAD83C1C4D95E0E94DB023ADED8B4078B3B05
                                        SHA-512:5AC5EBC140D4AD32E81D422FF592B635B3C67EA8AD381876DA00EFAC4538D46F0D8199FC6A5E54757169AFB31486B6A058C0408879ED6C0AD3EE680D48DA172D
                                        Malicious:false
                                        Preview: #05/04/2021 08:40:20 - Application Launch:System.IO.FileNotFoundException: Could not load file or assembly 'ExpTreeLib, Version=2.0.2210.18074, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified...File name: 'ExpTreeLib, Version=2.0.2210.18074, Culture=neutral, PublicKeyToken=null'.. at File_System_Controls.Main_Screen..ctor(Splash_Screen splash, String Base_Folder, String Base_Title).. at File_System_Controls.Startup_Module.main(String[] args)....WRN: Assembly binding logging is turned OFF...To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1...Note: There is some performance penalty associated with assembly bind failure logging...To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].....

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.690187102088683
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        File size:1013760
                                        MD5:d9b97229c1ffefb60c6c1abe86eeb720
                                        SHA1:da1a7ae1a7a9ac98b024955ce4317522a5bdf744
                                        SHA256:066cd9770911c86ad9b050f137ca0684413929fbd84a0cfb22013aa534d24523
                                        SHA512:fe428ba5dd490dd3fe4c0a8b2fb5c2ed03a4332fe8402353108134cd088960c1db2cf96ba292a0cd56c59f56bfe9b354121c52a13dc48f68a12881631ed73a49
                                        SSDEEP:12288:+Owldk/VrgYFofcnJN4GMLPl/el40p5ht7wQiCIoDVgGU20Te6cifUAVW8HvSrmn:qldkpmUJOVh/el40LsCIgU1NhrV5DR
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9]j`..............P..F...0.......d... ........... ....................................@................................

                                        File Icon

                                        Icon Hash:eaee8e96b2a8e0b2

                                        Static PE Info

                                        General

                                        Entrypoint:0x110e640e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x11000000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x606A5D39 [Mon Apr 5 00:43:37 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [11002000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xe63bc0x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe80000x12dc8.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xfc0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xe44140xe4600False0.874214260057SysEx File -7.80961870393IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0xe80000x12dc80x12e00False0.179506415563data4.33797945054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xfc0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0xe82e00xd228data
                                        RT_ICON0xf55080x568GLS_BINARY_LSB_FIRST
                                        RT_ICON0xf5a700x368GLS_BINARY_LSB_FIRST
                                        RT_ICON0xf5dd80x2e8data
                                        RT_ICON0xf60c00x8a8data
                                        RT_ICON0xf69680xca8data
                                        RT_ICON0xf76100x668dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0xf7c780xea8data
                                        RT_ICON0xf8b200x1ca8data
                                        RT_GROUP_ICON0xfa7c80x14data
                                        RT_GROUP_ICON0xfa7dc0x84data
                                        RT_VERSION0xfa8600x37cdata
                                        RT_MANIFEST0xfabdc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightPrice Club 2021 (C)
                                        Assembly Version5.1.0.8
                                        InternalNameAsyncCallback.exe
                                        FileVersion5.1.0.9
                                        CompanyNamePrice Club
                                        LegalTrademarks
                                        Comments2005 TVR Chimaera
                                        ProductNameAsyncCausality
                                        ProductVersion5.1.0.9
                                        FileDescriptionAsyncCausality
                                        OriginalFilenameAsyncCallback.exe

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        04/05/21-08:39:20.111519ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:20.145131ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                        04/05/21-08:39:20.146294ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:20.179485ICMP449ICMP Time-To-Live Exceeded in Transit5.56.20.161192.168.2.6
                                        04/05/21-08:39:20.181300ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:20.215937ICMP449ICMP Time-To-Live Exceeded in Transit91.206.52.152192.168.2.6
                                        04/05/21-08:39:20.216332ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:23.787083ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:27.784928ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:31.785720ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:35.785782ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:39.786862ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:43.786229ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:47.787164ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:51.787971ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:55.795299ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:39:59.788413ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:40:03.788641ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:40:07.789789ICMP384ICMP PING192.168.2.613.107.4.50
                                        04/05/21-08:40:07.822707ICMP408ICMP Echo Reply13.107.4.50192.168.2.6

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 5, 2021 08:39:51.479067087 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:51.548556089 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:51.549669981 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:51.646240950 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:51.733592987 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:51.742229939 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:51.812642097 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:51.835978985 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.039593935 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.039628029 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.039715052 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.109914064 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.109941959 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.109966040 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.109987020 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.110038996 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.110070944 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.182332993 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.182357073 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.182391882 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.182419062 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.182449102 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.182476997 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.182504892 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.182503939 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.182523012 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.182534933 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.182615042 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.256707907 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.256802082 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.256843090 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.256895065 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.256901979 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.256934881 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.256953001 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.256969929 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.257003069 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.257038116 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.257055044 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.257071972 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.257097006 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.257114887 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.257141113 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.257143021 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.257180929 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.257220984 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.257261038 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.257262945 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.257302046 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.257306099 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.302014112 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.327092886 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327156067 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327210903 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.327213049 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327269077 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327308893 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327318907 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.327347040 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327383041 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327395916 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.327416897 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327451944 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327486038 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327492952 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.327519894 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327533960 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.327554941 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327589989 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327593088 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.327625036 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327656984 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327693939 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327718973 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.327728033 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327744007 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.327763081 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327796936 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327831030 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327841043 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.327864885 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327883959 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.327898979 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327934027 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.327938080 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.327969074 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.328002930 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.328037024 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.328051090 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.328071117 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.328082085 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.328104973 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.328768015 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.372050047 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.372071981 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.372154951 CEST497244488192.168.2.646.183.220.61
                                        Apr 5, 2021 08:39:52.400876045 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.400932074 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.400968075 CEST44884972446.183.220.61192.168.2.6
                                        Apr 5, 2021 08:39:52.400995970 CEST44884972446.183.220.61192.168.2.6

                                        Code Manipulations

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe PID: 6416 Parent PID: 5924

                                        General

                                        Start time:08:39:21
                                        Start date:05/04/2021
                                        Path:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe'
                                        Imagebase:0x130000
                                        File size:1013760 bytes
                                        MD5 hash:D9B97229C1FFEFB60C6C1ABE86EEB720
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.381956927.00000000037E5000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.381956927.00000000037E5000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.381956927.00000000037E5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.378915713.0000000002621000.00000004.00000001.sdmp, Author: Joe Security
                                        Reputation:low

                                        Analysis Process: schtasks.exe PID: 6928 Parent PID: 6416

                                        General

                                        Start time:08:39:42
                                        Start date:05/04/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE715.tmp'
                                        Imagebase:0xa30000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 6940 Parent PID: 6928

                                        General

                                        Start time:08:39:42
                                        Start date:05/04/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff61de10000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe PID: 6976 Parent PID: 6416

                                        General

                                        Start time:08:39:43
                                        Start date:05/04/2021
                                        Path:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        Imagebase:0x7f0000
                                        File size:1013760 bytes
                                        MD5 hash:D9B97229C1FFEFB60C6C1ABE86EEB720
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:low

                                        Analysis Process: schtasks.exe PID: 7012 Parent PID: 6976

                                        General

                                        Start time:08:39:47
                                        Start date:05/04/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp939B.tmp'
                                        Imagebase:0xa30000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 7048 Parent PID: 7012

                                        General

                                        Start time:08:39:47
                                        Start date:05/04/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff61de10000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: schtasks.exe PID: 5304 Parent PID: 6976

                                        General

                                        Start time:08:39:48
                                        Start date:05/04/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp9B0E.tmp'
                                        Imagebase:0xa30000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe PID: 5820 Parent PID: 936

                                        General

                                        Start time:08:39:49
                                        Start date:05/04/2021
                                        Path:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\DHL_Express_Shipment_ConfirmationBJC400618092909_88700456XXXX.exe 0
                                        Imagebase:0xcb0000
                                        File size:1013760 bytes
                                        MD5 hash:D9B97229C1FFEFB60C6C1ABE86EEB720
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:low

                                        Analysis Process: conhost.exe PID: 6096 Parent PID: 5304

                                        General

                                        Start time:08:39:49
                                        Start date:05/04/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff61de10000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: dhcpmon.exe PID: 5792 Parent PID: 936

                                        General

                                        Start time:08:39:52
                                        Start date:05/04/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                        Imagebase:0xcf0000
                                        File size:1013760 bytes
                                        MD5 hash:D9B97229C1FFEFB60C6C1ABE86EEB720
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 2%, ReversingLabs
                                        Reputation:low

                                        Analysis Process: dhcpmon.exe PID: 6304 Parent PID: 3440

                                        General

                                        Start time:08:39:55
                                        Start date:05/04/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                        Imagebase:0xbb0000
                                        File size:1013760 bytes
                                        MD5 hash:D9B97229C1FFEFB60C6C1ABE86EEB720
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000011.00000002.468634246.0000000003021000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.471514022.00000000041E4000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.471514022.00000000041E4000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.471514022.00000000041E4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Analysis Process: schtasks.exe PID: 6952 Parent PID: 6304

                                        General

                                        Start time:08:40:17
                                        Start date:05/04/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kySsoQgxcHO' /XML 'C:\Users\user\AppData\Local\Temp\tmp9DB3.tmp'
                                        Imagebase:0xa30000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 6948 Parent PID: 6952

                                        General

                                        Start time:08:40:18
                                        Start date:05/04/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff61de10000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: dhcpmon.exe PID: 7124 Parent PID: 6304

                                        General

                                        Start time:08:40:19
                                        Start date:05/04/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Imagebase:0x3b0000
                                        File size:1013760 bytes
                                        MD5 hash:D9B97229C1FFEFB60C6C1ABE86EEB720
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        Analysis Process: dhcpmon.exe PID: 7160 Parent PID: 6304

                                        General

                                        Start time:08:40:20
                                        Start date:05/04/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Imagebase:0xa00000
                                        File size:1013760 bytes
                                        MD5 hash:D9B97229C1FFEFB60C6C1ABE86EEB720
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.489115680.0000000002F31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.486110377.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.489910498.0000000003F39000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.489910498.0000000003F39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Disassembly

                                        Code Analysis

                                        Reset < >