Windows Analysis Report DHL AWB TRACKING DETAILS.exe

Overview

General Information

Sample Name:	DHL AWB TRACKING DETAILS.exe
Analysis ID:	502163
MD5:	1fc9414612683fa9b525a75355706490
SHA1:	780cee42ffebc33391e0a814db98e5cf8affed5e
SHA256:	ae095ebb3fffa75296b6db100d55ef0dcf8e8c7eb9a0c616e0adb732dc4ee8c9
Tags:	DHLexeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: DHL AWB TRACKING DETAILS.exe	Virustotal: Detection: 30%			Perma Link
Source: DHL AWB TRACKING DETAILS.exe	ReversingLabs: Detection: 35%

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 30%	Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exe	ReversingLabs: Detection: 35%

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack	Avira: Label: TR/NanoCore.fadte
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: DHL AWB TRACKING DETAILS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DHL AWB TRACKING DETAILS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: b77a5c561934e089\mscorlib.pdb4 source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.938037408.000000000123C000.00000004.00000020.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4x nop then jmp 0816ABB1h	1_2_0816A29D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4x nop then jmp 06A2A1B1h	9_2_06A2989D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 0770A1B1h	10_2_0770989D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 06D5A1B1h	12_2_06D5989D

Networking:

Uses dynamic DNS services

Source: unknown

DNS query: name: chinomso.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49763 -> 129.205.113.12:7688

Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000003.706613472.0000000001276000.00000004.00000001.sdmp	String found in binary or memory: http://go.microsoft.c.r
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.707666257.00000000032D1000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747672827.0000000002531000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.752990326.00000000032D1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: chinomso.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: dhcpmon.exe, 0000000A.00000002.751608578.0000000001508000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHL AWB TRACKING DETAILS.exe.57f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHL AWB TRACKING DETAILS.exe.301cad8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.942404493.00000000057F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Uses 32bit PE files

Source: DHL AWB TRACKING DETAILS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.DHL AWB TRACKING DETAILS.exe.57f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.57f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.DHL AWB TRACKING DETAILS.exe.301cad8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.301cad8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000002.942404493.00000000057F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.942404493.00000000057F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_00EC65FB	1_2_00EC65FB
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_00EC57CA	1_2_00EC57CA
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_08165CE0	1_2_08165CE0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_08160006	1_2_08160006
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_08160040	1_2_08160040
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_0816512C	1_2_0816512C
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_08165CD2	1_2_08165CD2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_08161EC2	1_2_08161EC2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_00EC3251	1_2_00EC3251
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4_2_00A765FB	4_2_00A765FB
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4_2_00A757CA	4_2_00A757CA
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4_2_0167E471	4_2_0167E471
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4_2_0167E480	4_2_0167E480
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4_2_0167BBD4	4_2_0167BBD4
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4_2_00A73251	4_2_00A73251
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_001657CA	9_2_001657CA
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_001665FB	9_2_001665FB
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_023BE6B8	9_2_023BE6B8
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_023BE6AA	9_2_023BE6AA
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_023BBD04	9_2_023BBD04
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A25CD3	9_2_06A25CD3
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A21EC2	9_2_06A21EC2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A20007	9_2_06A20007
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A20040	9_2_06A20040
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_00163251	9_2_00163251
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00E665FB	10_2_00E665FB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00E657CA	10_2_00E657CA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_017AE6B8	10_2_017AE6B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_017AE6B3	10_2_017AE6B3
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_017ABD04	10_2_017ABD04
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_058DA798	10_2_058DA798
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_058DA7A8	10_2_058DA7A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_058D6E58	10_2_058D6E58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_058D6E53	10_2_058D6E53
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_07705CE0	10_2_07705CE0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_07701EC2	10_2_07701EC2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_07705CD3	10_2_07705CD3
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_07700040	10_2_07700040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_07700007	10_2_07700007
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00E63251	10_2_00E63251
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_004965FB	12_2_004965FB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00EDE6B8	12_2_00EDE6B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00EDE6AA	12_2_00EDE6AA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00EDBD04	12_2_00EDBD04
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D55CE0	12_2_06D55CE0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D51EC2	12_2_06D51EC2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D55CD1	12_2_06D55CD1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D50040	12_2_06D50040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D50006	12_2_06D50006
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00493251	12_2_00493251

Sample file is different than original file name gathered from version info

Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.706392922.0000000000F62000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNullReferenceExcepti.exeD vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.711639678.0000000007FF0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.937946425.0000000001208000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.937469331.0000000000B12000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNullReferenceExcepti.exeD vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000009.00000002.746212476.0000000000202000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNullReferenceExcepti.exeD vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000009.00000002.752656721.00000000068D0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs DHL AWB TRACKING DETAILS.exe

Source: DHL AWB TRACKING DETAILS.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: xWvcJacCRTJ.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: DHL AWB TRACKING DETAILS.exe	Virustotal: Detection: 30%
Source: DHL AWB TRACKING DETAILS.exe	ReversingLabs: Detection: 35%

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File read: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Jump to behavior

Source: DHL AWB TRACKING DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe 'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe'
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1FEB.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp252C.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe 'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD512.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE36.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp6D1.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1FEB.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp252C.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD512.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE36.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp6D1.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exe

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA586.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@30/12@6/1

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Mutant created: \Sessions\1\BaseNamedObjects\reblGreen Software DimWin Brightness
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:120:WilError_01
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{bee718f3-e47a-44f8-955e-2fe2c6c0351c}

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DHL AWB TRACKING DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL AWB TRACKING DETAILS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: b77a5c561934e089\mscorlib.pdb4 source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.938037408.000000000123C000.00000004.00000020.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: DHL AWB TRACKING DETAILS.exe, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: xWvcJacCRTJ.exe.1.dr, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.2.DHL AWB TRACKING DETAILS.exe.ec0000.0.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.DHL AWB TRACKING DETAILS.exe.ec0000.0.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dhcpmon.exe.4.dr, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.DHL AWB TRACKING DETAILS.exe.a70000.1.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.DHL AWB TRACKING DETAILS.exe.a70000.0.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.DHL AWB TRACKING DETAILS.exe.160000.0.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.2.DHL AWB TRACKING DETAILS.exe.160000.0.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.dhcpmon.exe.e60000.0.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_0816D33D push FFFFFF8Bh; iretd	1_2_0816D33F
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A25627 push es; retf	9_2_06A25628
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A254A5 push es; ret	9_2_06A254C0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A2553F push es; iretd	9_2_06A25548
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A25327 push es; ret	9_2_06A25328
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A2532F push es; retf	9_2_06A25350
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A2C844 push dword ptr [ebx+ebp-75h]; iretd	9_2_06A2C84D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A2C93D push FFFFFF8Bh; iretd	9_2_06A2C93F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_058D5808 pushad ; iretd	10_2_058D5809
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_0770C93D push FFFFFF8Bh; iretd	10_2_0770C93F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D55625 push es; retf	12_2_06D55628
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D55335 push es; retf	12_2_06D55350
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D5C93D push FFFFFF8Bh; iretd	12_2_06D5C93F

Source: initial sample	Static PE information: section name: .text entropy: 7.65420629233
Source: initial sample	Static PE information: section name: .text entropy: 7.65420629233
Source: initial sample	Static PE information: section name: .text entropy: 7.65420629233

Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	File created: C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exe			Jump to dropped file
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File opened: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 10.2.dhcpmon.exe.32f2f2c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.257ea74.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.2952f18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.331ea60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.32f2f30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.2552f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.331ea30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.297ea1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.763599855.0000000002970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.752990326.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.707666257.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.747672827.0000000002531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 3080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3480, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 6244	Thread sleep time: -39841s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 4560	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 1572	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 484	Thread sleep time: -35081s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 2800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4164	Thread sleep time: -43700s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2388	Thread sleep time: -39227s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Window / User API: threadDelayed 2862	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Window / User API: threadDelayed 6313	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Window / User API: foregroundWindowGot 843	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 39841	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 35081	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 43700	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 39227	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000003.794680583.00000000012B7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Memory written: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Memory written: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1FEB.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp252C.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD512.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE36.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp6D1.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.940206730.00000000030ED000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.939299841.0000000001A60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: dhcpmon.exe	Binary or memory string: ProgMan
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.939299841.0000000001A60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.706297602.0000000000EC2000.00000002.00020000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000004.00000002.937388520.0000000000A72000.00000002.00020000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.745972297.0000000000162000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000000.725075937.0000000000E62000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000000.737477946.0000000000492000.00000002.00020000.sdmp	Binary or memory string: ProgMan!SHELLDLL_DefVIew
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.939299841.0000000001A60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.943623421.0000000006B7C000.00000004.00000010.sdmp	Binary or memory string: Program Manager >

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
129.205.113.12	chinomso.duckdns.org	Nigeria		37148	globacom-asNG	false

Contacted Domains

Name	IP	Active
chinomso.duckdns.org	129.205.113.12	true

AV Detection:

Multi AV Scanner detection for submitted file

Source: DHL AWB TRACKING DETAILS.exe	Virustotal: Detection: 30%			Perma Link
Source: DHL AWB TRACKING DETAILS.exe	ReversingLabs: Detection: 35%

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 30%	Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exe	ReversingLabs: Detection: 35%

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack	Avira: Label: TR/NanoCore.fadte
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: DHL AWB TRACKING DETAILS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DHL AWB TRACKING DETAILS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: b77a5c561934e089\mscorlib.pdb4 source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.938037408.000000000123C000.00000004.00000020.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4x nop then jmp 0816ABB1h	1_2_0816A29D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4x nop then jmp 06A2A1B1h	9_2_06A2989D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 0770A1B1h	10_2_0770989D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 06D5A1B1h	12_2_06D5989D

Networking:

Uses dynamic DNS services

Source: unknown

DNS query: name: chinomso.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49763 -> 129.205.113.12:7688

Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000003.706613472.0000000001276000.00000004.00000001.sdmp	String found in binary or memory: http://go.microsoft.c.r
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.707666257.00000000032D1000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747672827.0000000002531000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.752990326.00000000032D1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: chinomso.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: dhcpmon.exe, 0000000A.00000002.751608578.0000000001508000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHL AWB TRACKING DETAILS.exe.57f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHL AWB TRACKING DETAILS.exe.301cad8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.942404493.00000000057F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Uses 32bit PE files

Source: DHL AWB TRACKING DETAILS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.DHL AWB TRACKING DETAILS.exe.57f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.57f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.DHL AWB TRACKING DETAILS.exe.301cad8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.301cad8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000002.942404493.00000000057F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.942404493.00000000057F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_00EC65FB	1_2_00EC65FB
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_00EC57CA	1_2_00EC57CA
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_08165CE0	1_2_08165CE0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_08160006	1_2_08160006
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_08160040	1_2_08160040
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_0816512C	1_2_0816512C
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_08165CD2	1_2_08165CD2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_08161EC2	1_2_08161EC2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_00EC3251	1_2_00EC3251
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4_2_00A765FB	4_2_00A765FB
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4_2_00A757CA	4_2_00A757CA
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4_2_0167E471	4_2_0167E471
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4_2_0167E480	4_2_0167E480
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4_2_0167BBD4	4_2_0167BBD4
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 4_2_00A73251	4_2_00A73251
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_001657CA	9_2_001657CA
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_001665FB	9_2_001665FB
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_023BE6B8	9_2_023BE6B8
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_023BE6AA	9_2_023BE6AA
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_023BBD04	9_2_023BBD04
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A25CD3	9_2_06A25CD3
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A21EC2	9_2_06A21EC2
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A20007	9_2_06A20007
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A20040	9_2_06A20040
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_00163251	9_2_00163251
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00E665FB	10_2_00E665FB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00E657CA	10_2_00E657CA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_017AE6B8	10_2_017AE6B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_017AE6B3	10_2_017AE6B3
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_017ABD04	10_2_017ABD04
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_058DA798	10_2_058DA798
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_058DA7A8	10_2_058DA7A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_058D6E58	10_2_058D6E58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_058D6E53	10_2_058D6E53
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_07705CE0	10_2_07705CE0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_07701EC2	10_2_07701EC2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_07705CD3	10_2_07705CD3
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_07700040	10_2_07700040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_07700007	10_2_07700007
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00E63251	10_2_00E63251
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_004965FB	12_2_004965FB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00EDE6B8	12_2_00EDE6B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00EDE6AA	12_2_00EDE6AA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00EDBD04	12_2_00EDBD04
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D55CE0	12_2_06D55CE0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D51EC2	12_2_06D51EC2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D55CD1	12_2_06D55CD1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D50040	12_2_06D50040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D50006	12_2_06D50006
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00493251	12_2_00493251

Sample file is different than original file name gathered from version info

Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.706392922.0000000000F62000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNullReferenceExcepti.exeD vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.711639678.0000000007FF0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.937946425.0000000001208000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.937469331.0000000000B12000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNullReferenceExcepti.exeD vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000009.00000002.746212476.0000000000202000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNullReferenceExcepti.exeD vs DHL AWB TRACKING DETAILS.exe
Source: DHL AWB TRACKING DETAILS.exe, 00000009.00000002.752656721.00000000068D0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs DHL AWB TRACKING DETAILS.exe

Source: DHL AWB TRACKING DETAILS.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: xWvcJacCRTJ.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: DHL AWB TRACKING DETAILS.exe	Virustotal: Detection: 30%
Source: DHL AWB TRACKING DETAILS.exe	ReversingLabs: Detection: 35%

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File read: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Jump to behavior

Source: DHL AWB TRACKING DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe 'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe'
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1FEB.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp252C.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe 'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD512.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE36.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp6D1.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1FEB.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp252C.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD512.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE36.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp6D1.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exe

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA586.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@30/12@6/1

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Mutant created: \Sessions\1\BaseNamedObjects\reblGreen Software DimWin Brightness
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:120:WilError_01
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{bee718f3-e47a-44f8-955e-2fe2c6c0351c}

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DHL AWB TRACKING DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL AWB TRACKING DETAILS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: b77a5c561934e089\mscorlib.pdb4 source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.938037408.000000000123C000.00000004.00000020.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: DHL AWB TRACKING DETAILS.exe, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: xWvcJacCRTJ.exe.1.dr, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.2.DHL AWB TRACKING DETAILS.exe.ec0000.0.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.DHL AWB TRACKING DETAILS.exe.ec0000.0.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dhcpmon.exe.4.dr, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.DHL AWB TRACKING DETAILS.exe.a70000.1.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.DHL AWB TRACKING DETAILS.exe.a70000.0.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.DHL AWB TRACKING DETAILS.exe.160000.0.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.2.DHL AWB TRACKING DETAILS.exe.160000.0.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.dhcpmon.exe.e60000.0.unpack, Brightness.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 1_2_0816D33D push FFFFFF8Bh; iretd	1_2_0816D33F
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A25627 push es; retf	9_2_06A25628
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A254A5 push es; ret	9_2_06A254C0
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A2553F push es; iretd	9_2_06A25548
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A25327 push es; ret	9_2_06A25328
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A2532F push es; retf	9_2_06A25350
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A2C844 push dword ptr [ebx+ebp-75h]; iretd	9_2_06A2C84D
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Code function: 9_2_06A2C93D push FFFFFF8Bh; iretd	9_2_06A2C93F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_058D5808 pushad ; iretd	10_2_058D5809
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_0770C93D push FFFFFF8Bh; iretd	10_2_0770C93F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D55625 push es; retf	12_2_06D55628
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D55335 push es; retf	12_2_06D55350
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_06D5C93D push FFFFFF8Bh; iretd	12_2_06D5C93F

Source: initial sample	Static PE information: section name: .text entropy: 7.65420629233
Source: initial sample	Static PE information: section name: .text entropy: 7.65420629233
Source: initial sample	Static PE information: section name: .text entropy: 7.65420629233

Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	File created: C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exe			Jump to dropped file
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

File opened: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 10.2.dhcpmon.exe.32f2f2c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.257ea74.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.2952f18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.331ea60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.32f2f30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.2552f44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.331ea30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.297ea1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.763599855.0000000002970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.752990326.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.707666257.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.747672827.0000000002531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 3080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3480, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 6244	Thread sleep time: -39841s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 4560	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 1572	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 484	Thread sleep time: -35081s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 2800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4164	Thread sleep time: -43700s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2388	Thread sleep time: -39227s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Window / User API: threadDelayed 2862	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Window / User API: threadDelayed 6313	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Window / User API: foregroundWindowGot 843	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 39841	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 35081	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 43700	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 39227	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000003.794680583.00000000012B7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Memory written: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Memory written: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1FEB.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp252C.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD512.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Process created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE36.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp6D1.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.940206730.00000000030ED000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.939299841.0000000001A60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: dhcpmon.exe	Binary or memory string: ProgMan
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.939299841.0000000001A60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.706297602.0000000000EC2000.00000002.00020000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000004.00000002.937388520.0000000000A72000.00000002.00020000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.745972297.0000000000162000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000000.725075937.0000000000E62000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000000.737477946.0000000000492000.00000002.00020000.sdmp	Binary or memory string: ProgMan!SHELLDLL_DefVIew
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.939299841.0000000001A60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.943623421.0000000006B7C000.00000004.00000010.sdmp	Binary or memory string: Program Manager >

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR

ID:	502163
Product:	CloudBasic
Start time:	17:07:19
Start date:	13.10.2021
Sample:	DHL AWB TRACKING DETAILS.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	1fc9414612683fa9b525a75355706490
SHA1:	780cee42ffebc33391e0a814db98e5cf8affed5e
SHA256:	ae095ebb3fffa75296b6db100d55ef0dcf8e8c7eb9a0c616e0adb732dc4ee8c9
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	1FC9414612683FA9B525A75355706490	780CEE42FFEBC33391E0A814DB98E5CF8AFFED5E	AE095EBB3FFFA75296B6DB100D55EF0DCF8E8C7EB9A0C616E0ADB732DC4EE8C9
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL AWB TRACKING DETAILS.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Temp\tmp252C.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	5C2F41CFC6F988C859DA7D727AC2B62A	68999C85FC7E37BAB9216E0099836D40D4545C1C	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Local\Temp\tmp6D1.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	98538A364A3BA38F686CD7300023F6F3	A7448453C818945E0EE9F3B3DF5C9DBBB3908B08	32A23EDC35BA2651543B0A153DF21A74365487C55D25342F2D50AAD9BAC4C6E9
C:\Users\user\AppData\Local\Temp\tmpA586.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	98538A364A3BA38F686CD7300023F6F3	A7448453C818945E0EE9F3B3DF5C9DBBB3908B08	32A23EDC35BA2651543B0A153DF21A74365487C55D25342F2D50AAD9BAC4C6E9
C:\Users\user\AppData\Local\Temp\tmpD512.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	98538A364A3BA38F686CD7300023F6F3	A7448453C818945E0EE9F3B3DF5C9DBBB3908B08	32A23EDC35BA2651543B0A153DF21A74365487C55D25342F2D50AAD9BAC4C6E9
C:\Users\user\AppData\Local\Temp\tmpFE36.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	98538A364A3BA38F686CD7300023F6F3	A7448453C818945E0EE9F3B3DF5C9DBBB3908B08	32A23EDC35BA2651543B0A153DF21A74365487C55D25342F2D50AAD9BAC4C6E9
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	data	EB318F2FBFAD576CC3C0E6AF2BC1422E	4DCF1FBDAC8D7F275708497533F634FA9455DEC5	7D340406A2A1DBE171C2D222B76249FFB7AE1710FA2EA414DBE56F3EA91A1246
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat	ASCII text, with no line terminators	36CF5F6A15460E47553697F3171A68A2	664885AA8C10A6C8D4C997C7A1B4D9451B7B41D6	BB464FA713EA5DD09CCC34D69C6F641D78142D8A780759E274911734BC3BD689
C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	1FC9414612683FA9B525A75355706490	780CEE42FFEBC33391E0A814DB98E5CF8AFFED5E	AE095EBB3FFFA75296B6DB100D55EF0DCF8E8C7EB9A0C616E0ADB732DC4EE8C9
C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report DHL AWB TRACKING DETAILS.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains