Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL AWB TRACKING DETAILS.exe

Overview

General Information

Sample Name:DHL AWB TRACKING DETAILS.exe
Analysis ID:502163
MD5:1fc9414612683fa9b525a75355706490
SHA1:780cee42ffebc33391e0a814db98e5cf8affed5e
SHA256:ae095ebb3fffa75296b6db100d55ef0dcf8e8c7eb9a0c616e0adb732dc4ee8c9
Tags:DHLexeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • DHL AWB TRACKING DETAILS.exe (PID: 2600 cmdline: 'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe' MD5: 1FC9414612683FA9B525A75355706490)
    • schtasks.exe (PID: 3228 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL AWB TRACKING DETAILS.exe (PID: 6228 cmdline: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe MD5: 1FC9414612683FA9B525A75355706490)
      • schtasks.exe (PID: 6740 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1FEB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6756 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp252C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • DHL AWB TRACKING DETAILS.exe (PID: 3080 cmdline: 'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe' 0 MD5: 1FC9414612683FA9B525A75355706490)
    • schtasks.exe (PID: 6024 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD512.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 1692 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 1FC9414612683FA9B525A75355706490)
    • schtasks.exe (PID: 5972 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE36.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 5996 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1FC9414612683FA9B525A75355706490)
  • dhcpmon.exe (PID: 3480 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 1FC9414612683FA9B525A75355706490)
    • schtasks.exe (PID: 6772 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp6D1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 3740 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1FC9414612683FA9B525A75355706490)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x43575:$a: NanoCore
      • 0x435ce:$a: NanoCore
      • 0x4360b:$a: NanoCore
      • 0x43684:$a: NanoCore
      • 0x56d2f:$a: NanoCore
      • 0x56d44:$a: NanoCore
      • 0x56d79:$a: NanoCore
      • 0x6fd3b:$a: NanoCore
      • 0x6fd50:$a: NanoCore
      • 0x6fd85:$a: NanoCore
      • 0x435d7:$b: ClientPlugin
      • 0x43614:$b: ClientPlugin
      • 0x43f12:$b: ClientPlugin
      • 0x43f1f:$b: ClientPlugin
      • 0x56aeb:$b: ClientPlugin
      • 0x56b06:$b: ClientPlugin
      • 0x56b36:$b: ClientPlugin
      • 0x56d4d:$b: ClientPlugin
      • 0x56d82:$b: ClientPlugin
      • 0x6faf7:$b: ClientPlugin
      • 0x6fb12:$b: ClientPlugin
      00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      Click to see the 54 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.dhcpmon.exe.39b1f58.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      12.2.dhcpmon.exe.39b1f58.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      12.2.dhcpmon.exe.39b1f58.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        12.2.dhcpmon.exe.39b1f58.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        Click to see the 61 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe, ProcessId: 6228, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe, ProcessId: 6228, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe, ProcessId: 6228, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe, ProcessId: 6228, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: DHL AWB TRACKING DETAILS.exeVirustotal: Detection: 30%Perma Link
        Source: DHL AWB TRACKING DETAILS.exeReversingLabs: Detection: 35%
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 30%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 35%
        Source: C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exeReversingLabs: Detection: 35%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpackAvira: Label: TR/NanoCore.fadte
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: DHL AWB TRACKING DETAILS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: DHL AWB TRACKING DETAILS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: b77a5c561934e089\mscorlib.pdb4 source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.938037408.000000000123C000.00000004.00000020.sdmp
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 4x nop then jmp 0816ABB1h
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 4x nop then jmp 06A2A1B1h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 0770A1B1h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 06D5A1B1h

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: chinomso.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.4:49763 -> 129.205.113.12:7688
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000003.706613472.0000000001276000.00000004.00000001.sdmpString found in binary or memory: http://go.microsoft.c.r
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.707666257.00000000032D1000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747672827.0000000002531000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.752990326.00000000032D1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: unknownDNS traffic detected: queries for: chinomso.duckdns.org
        Source: dhcpmon.exe, 0000000A.00000002.751608578.0000000001508000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.57f0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.301cad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.942404493.00000000057F0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: DHL AWB TRACKING DETAILS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.57f0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.57f0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.301cad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.301cad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000004.00000002.942404493.00000000057F0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.942404493.00000000057F0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 1_2_00EC65FB
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 1_2_00EC57CA
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 1_2_08165CE0
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 1_2_08160006
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 1_2_08160040
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 1_2_0816512C
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 1_2_08165CD2
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 1_2_08161EC2
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 1_2_00EC3251
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 4_2_00A765FB
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 4_2_00A757CA
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 4_2_0167E471
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 4_2_0167E480
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 4_2_0167BBD4
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 4_2_00A73251
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_001657CA
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_001665FB
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_023BE6B8
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_023BE6AA
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_023BBD04
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_06A25CD3
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_06A21EC2
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_06A20007
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_06A20040
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_00163251
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00E665FB
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00E657CA
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017AE6B8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017AE6B3
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_017ABD04
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_058DA798
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_058DA7A8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_058D6E58
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_058D6E53
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_07705CE0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_07701EC2
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_07705CD3
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_07700040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_07700007
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00E63251
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_004965FB
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00EDE6B8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00EDE6AA
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00EDBD04
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_06D55CE0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_06D51EC2
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_06D55CD1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_06D50040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_06D50006
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00493251
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.706392922.0000000000F62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNullReferenceExcepti.exeD vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.711639678.0000000007FF0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.937946425.0000000001208000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.937469331.0000000000B12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNullReferenceExcepti.exeD vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000009.00000002.746212476.0000000000202000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNullReferenceExcepti.exeD vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000009.00000002.752656721.00000000068D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs DHL AWB TRACKING DETAILS.exe
        Source: DHL AWB TRACKING DETAILS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: xWvcJacCRTJ.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: DHL AWB TRACKING DETAILS.exeVirustotal: Detection: 30%
        Source: DHL AWB TRACKING DETAILS.exeReversingLabs: Detection: 35%
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile read: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeJump to behavior
        Source: DHL AWB TRACKING DETAILS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe 'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe'
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1FEB.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp252C.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe 'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD512.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE36.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp6D1.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1FEB.tmp'
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp252C.tmp'
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD512.tmp'
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE36.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp6D1.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile created: C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exeJump to behavior
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA586.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@30/12@6/1
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeMutant created: \Sessions\1\BaseNamedObjects\reblGreen Software DimWin Brightness
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:120:WilError_01
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bee718f3-e47a-44f8-955e-2fe2c6c0351c}
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: DHL AWB TRACKING DETAILS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: DHL AWB TRACKING DETAILS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: b77a5c561934e089\mscorlib.pdb4 source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.938037408.000000000123C000.00000004.00000020.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: DHL AWB TRACKING DETAILS.exe, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: xWvcJacCRTJ.exe.1.dr, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 1.2.DHL AWB TRACKING DETAILS.exe.ec0000.0.unpack, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 1.0.DHL AWB TRACKING DETAILS.exe.ec0000.0.unpack, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: dhcpmon.exe.4.dr, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.a70000.1.unpack, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 4.0.DHL AWB TRACKING DETAILS.exe.a70000.0.unpack, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.0.DHL AWB TRACKING DETAILS.exe.160000.0.unpack, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.2.DHL AWB TRACKING DETAILS.exe.160000.0.unpack, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 10.0.dhcpmon.exe.e60000.0.unpack, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 1_2_0816D33D push FFFFFF8Bh; iretd
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_06A25627 push es; retf
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_06A254A5 push es; ret
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_06A2553F push es; iretd
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_06A25327 push es; ret
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_06A2532F push es; retf
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_06A2C844 push dword ptr [ebx+ebp-75h]; iretd
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeCode function: 9_2_06A2C93D push FFFFFF8Bh; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_058D5808 pushad ; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0770C93D push FFFFFF8Bh; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_06D55625 push es; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_06D55335 push es; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_06D5C93D push FFFFFF8Bh; iretd
        Source: initial sampleStatic PE information: section name: .text entropy: 7.65420629233
        Source: initial sampleStatic PE information: section name: .text entropy: 7.65420629233
        Source: initial sampleStatic PE information: section name: .text entropy: 7.65420629233
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile created: C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exeJump to dropped file
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeFile opened: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 10.2.dhcpmon.exe.32f2f2c.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.DHL AWB TRACKING DETAILS.exe.257ea74.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2952f18.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.DHL AWB TRACKING DETAILS.exe.331ea60.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.DHL AWB TRACKING DETAILS.exe.32f2f30.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.DHL AWB TRACKING DETAILS.exe.2552f44.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.331ea30.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.297ea1c.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.763599855.0000000002970000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.752990326.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.707666257.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.747672827.0000000002531000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 2600, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 3080, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3480, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 6244Thread sleep time: -39841s >= -30000s
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 4560Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 1572Thread sleep time: -15679732462653109s >= -30000s
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 484Thread sleep time: -35081s >= -30000s
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe TID: 2800Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4164Thread sleep time: -43700s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 584Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2388Thread sleep time: -39227s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6552Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeWindow / User API: threadDelayed 2862
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeWindow / User API: threadDelayed 6313
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeWindow / User API: foregroundWindowGot 843
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeThread delayed: delay time: 39841
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeThread delayed: delay time: 35081
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 43700
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 39227
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
        Source: dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000003.794680583.00000000012B7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeMemory written: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeMemory written: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1FEB.tmp'
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp252C.tmp'
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpD512.tmp'
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeProcess created: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE36.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp6D1.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.940206730.00000000030ED000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.939299841.0000000001A60000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: dhcpmon.exeBinary or memory string: ProgMan
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.939299841.0000000001A60000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: DHL AWB TRACKING DETAILS.exe, 00000001.00000002.706297602.0000000000EC2000.00000002.00020000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000004.00000002.937388520.0000000000A72000.00000002.00020000.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.745972297.0000000000162000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000000.725075937.0000000000E62000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000000.737477946.0000000000492000.00000002.00020000.sdmpBinary or memory string: ProgMan!SHELLDLL_DefVIew
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.939299841.0000000001A60000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.943623421.0000000006B7C000.00000004.00000010.sdmpBinary or memory string: Program Manager >
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: DHL AWB TRACKING DETAILS.exe, 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 12.2.dhcpmon.exe.39b1f58.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.4351f58.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.40405cc.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.4044bf5.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.403b796.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.DHL AWB TRACKING DETAILS.exe.5994629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.DHL AWB TRACKING DETAILS.exe.4351f58.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.dhcpmon.exe.4351f58.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.39b1f58.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.DHL AWB TRACKING DETAILS.exe.35b1f58.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.783002192.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.767411519.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.769300129.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.764227054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.769435177.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.780784304.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.767049209.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.767904122.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.783141680.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DHL AWB TRACKING DETAILS.exe PID: 6228, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading2Input Capture21Query Registry1Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 502163 Sample: DHL AWB TRACKING DETAILS.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 8 other signatures 2->55 8 DHL AWB TRACKING DETAILS.exe 7 2->8         started        12 DHL AWB TRACKING DETAILS.exe 4 2->12         started        14 dhcpmon.exe 4 2->14         started        16 dhcpmon.exe 5 2->16         started        process3 file4 41 C:\Users\user\AppData\...\xWvcJacCRTJ.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\Local\...\tmpA586.tmp, XML 8->43 dropped 45 C:\Users\...\DHL AWB TRACKING DETAILS.exe.log, ASCII 8->45 dropped 59 Injects a PE file into a foreign processes 8->59 18 DHL AWB TRACKING DETAILS.exe 1 12 8->18         started        23 schtasks.exe 1 8->23         started        signatures5 process6 dnsIp7 47 chinomso.duckdns.org 129.205.113.12, 7688 globacom-asNG Nigeria 18->47 35 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->35 dropped 37 C:\Users\user\AppData\Roaming\...\run.dat, data 18->37 dropped 39 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->39 dropped 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->57 25 schtasks.exe 1 18->25         started        27 schtasks.exe 1 18->27         started        29 conhost.exe 23->29         started        file8 signatures9 process10 process11 31 conhost.exe 25->31         started        33 conhost.exe 27->33         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        DHL AWB TRACKING DETAILS.exe30%VirustotalBrowse
        DHL AWB TRACKING DETAILS.exe36%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe30%VirustotalBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe36%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exe36%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        4.2.DHL AWB TRACKING DETAILS.exe.5990000.7.unpack100%AviraTR/NanoCore.fadteDownload File
        4.2.DHL AWB TRACKING DETAILS.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://go.microsoft.c.r0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        chinomso.duckdns.org
        		129.205.113.12
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.comDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bTheDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                    		high
                    http://www.tiro.comDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.krDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.collada.org/2005/11/COLLADASchema9DoneDHL AWB TRACKING DETAILS.exe, 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/cTheDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-user.htmlDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                          		high
                          http://go.microsoft.c.rDHL AWB TRACKING DETAILS.exe, 00000004.00000003.706613472.0000000001276000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8DHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fonts.comDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                              		high
                              http://www.sandoll.co.krDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleaseDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL AWB TRACKING DETAILS.exe, 00000001.00000002.707666257.00000000032D1000.00000004.00000001.sdmp, DHL AWB TRACKING DETAILS.exe, 00000009.00000002.747672827.0000000002531000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.752990326.00000000032D1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sakkal.comDHL AWB TRACKING DETAILS.exe, 00000001.00000002.710044525.0000000007392000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                129.205.113.12
                                		chinomso.duckdns.orgNigeria
                                		37148globacom-asNGfalse

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:502163
                                Start date:13.10.2021
                                Start time:17:07:19
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 14m 3s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:DHL AWB TRACKING DETAILS.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:34
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@30/12@6/1
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                • Quality average: 77.5%
                                • Quality standard deviation: 17.3%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.82.210.154, 95.100.218.79, 20.50.102.62, 93.184.221.240, 2.20.178.33, 2.20.178.24, 20.54.110.249, 40.112.88.60
                                • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.bing.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                17:08:27API Interceptor883x Sleep call for process: DHL AWB TRACKING DETAILS.exe modified
                                17:08:41Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe" s>$(Arg0)
                                17:08:41AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                17:08:44Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                17:08:46API Interceptor2x Sleep call for process: dhcpmon.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Process:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):651776
                                Entropy (8bit):7.645296007215276
                                Encrypted:false
                                SSDEEP:12288:o0cPk+EcPRnhUVjfP+Uuf2j613ztwXUoaAE0UErHPsRIY9Zi6g6SB:JcPhEcpw+U02e13ztwXUoaAlrvsxi6aB
                                MD5:1FC9414612683FA9B525A75355706490
                                SHA1:780CEE42FFEBC33391E0A814DB98E5CF8AFFED5E
                                SHA-256:AE095EBB3FFFA75296B6DB100D55EF0DCF8E8C7EB9A0C616E0ADB732DC4EE8C9
                                SHA-512:87777CA70B286FDB5B769EFAB741A09546E68825769B381328E8DEB9321099A5315A30CBF512CACD3297BB1F7CD55983048AEB15C47862A4811BCE2A6BF4DBEB
                                Malicious:true
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 30%, Browse
                                • Antivirus: ReversingLabs, Detection: 36%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....yfa..............0.................. ... ....@.. .......................`............@.................................P...O.... ..(....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...(.... ......................@..@.reloc.......@......................@..B........................H........C..t{..........@....E..........................................".(.....*....0............|....(.....+..*....0...............|.....(.......(&....*...0............{....l#......o@[.+..*..0..W.........#.......?....,..#.......?...+..#............,..#.............#......o@Z.}.....(&....*..0............{.....+..*.0................}.....*....0............(....(l....+..*....0..............,.....(-.....+...(......*....0............{.....+..*.0..C...........,...(.....(.........
                                C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                Process:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:unknown
                                Preview: [ZoneTransfer]....ZoneId=0
                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL AWB TRACKING DETAILS.exe.log
                                Process:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):1216
                                Entropy (8bit):5.355304211458859
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                Malicious:true
                                Reputation:unknown
                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.355304211458859
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                Malicious:false
                                Reputation:unknown
                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                C:\Users\user\AppData\Local\Temp\tmp252C.tmp
                                Process:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):1310
                                Entropy (8bit):5.109425792877704
                                Encrypted:false
                                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                Malicious:false
                                Reputation:unknown
                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                C:\Users\user\AppData\Local\Temp\tmp6D1.tmp
                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGztn:cbhK79lNQR/rydbz9I3YODOLNdq3c
                                MD5:98538A364A3BA38F686CD7300023F6F3
                                SHA1:A7448453C818945E0EE9F3B3DF5C9DBBB3908B08
                                SHA-256:32A23EDC35BA2651543B0A153DF21A74365487C55D25342F2D50AAD9BAC4C6E9
                                SHA-512:B097B2D8A7C66A4EF8E9080F2BE0EE8757340FAB89B154C2DEB0C25AA8EDD043A08065D527CABE29AF35398B5C4E1E9F5A96018493372301899A968FF0B8D8F9
                                Malicious:false
                                Reputation:unknown
                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                C:\Users\user\AppData\Local\Temp\tmpA586.tmp
                                Process:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1644
                                Entropy (8bit):5.184496115167584
                                Encrypted:false
                                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGztn:cbhK79lNQR/rydbz9I3YODOLNdq3c
                                MD5:98538A364A3BA38F686CD7300023F6F3
                                SHA1:A7448453C818945E0EE9F3B3DF5C9DBBB3908B08
                                SHA-256:32A23EDC35BA2651543B0A153DF21A74365487C55D25342F2D50AAD9BAC4C6E9
                                SHA-512:B097B2D8A7C66A4EF8E9080F2BE0EE8757340FAB89B154C2DEB0C25AA8EDD043A08065D527CABE29AF35398B5C4E1E9F5A96018493372301899A968FF0B8D8F9
                                Malicious:true
                                Reputation:unknown
                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                C:\Users\user\AppData\Local\Temp\tmpD512.tmp
                                Process:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1644
                                Entropy (8bit):5.184496115167584
                                Encrypted:false
                                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGztn:cbhK79lNQR/rydbz9I3YODOLNdq3c
                                MD5:98538A364A3BA38F686CD7300023F6F3
                                SHA1:A7448453C818945E0EE9F3B3DF5C9DBBB3908B08
                                SHA-256:32A23EDC35BA2651543B0A153DF21A74365487C55D25342F2D50AAD9BAC4C6E9
                                SHA-512:B097B2D8A7C66A4EF8E9080F2BE0EE8757340FAB89B154C2DEB0C25AA8EDD043A08065D527CABE29AF35398B5C4E1E9F5A96018493372301899A968FF0B8D8F9
                                Malicious:false
                                Reputation:unknown
                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                C:\Users\user\AppData\Local\Temp\tmpFE36.tmp
                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1644
                                Entropy (8bit):5.184496115167584
                                Encrypted:false
                                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGztn:cbhK79lNQR/rydbz9I3YODOLNdq3c
                                MD5:98538A364A3BA38F686CD7300023F6F3
                                SHA1:A7448453C818945E0EE9F3B3DF5C9DBBB3908B08
                                SHA-256:32A23EDC35BA2651543B0A153DF21A74365487C55D25342F2D50AAD9BAC4C6E9
                                SHA-512:B097B2D8A7C66A4EF8E9080F2BE0EE8757340FAB89B154C2DEB0C25AA8EDD043A08065D527CABE29AF35398B5C4E1E9F5A96018493372301899A968FF0B8D8F9
                                Malicious:false
                                Reputation:unknown
                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                Process:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8
                                Entropy (8bit):3.0
                                Encrypted:false
                                SSDEEP:3:z4Lwn:U0n
                                MD5:EB318F2FBFAD576CC3C0E6AF2BC1422E
                                SHA1:4DCF1FBDAC8D7F275708497533F634FA9455DEC5
                                SHA-256:7D340406A2A1DBE171C2D222B76249FFB7AE1710FA2EA414DBE56F3EA91A1246
                                SHA-512:945198CF5156ABE8EBD4F173DE7121E6BE983E6019A593E6AA61718F6FF8374610B0CB9257B199E4782FAED40473A14302BDDCD27082CDDCBB70742DE530ECB5
                                Malicious:true
                                Reputation:unknown
                                Preview: ...U[..H
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                Process:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):51
                                Entropy (8bit):4.655282146267042
                                Encrypted:false
                                SSDEEP:3:oNt+WfWhtrkynLmsribiC:oNwvU0Lb2b/
                                MD5:36CF5F6A15460E47553697F3171A68A2
                                SHA1:664885AA8C10A6C8D4C997C7A1B4D9451B7B41D6
                                SHA-256:BB464FA713EA5DD09CCC34D69C6F641D78142D8A780759E274911734BC3BD689
                                SHA-512:69CCE61DFE05023576CD1CC98CA449FFEA4EF145050A018B6E1E0238413A797C0BE6CF82D87A7778E7B6470603B2112D2D9A6513B4B6B1932D0B44AF482832A1
                                Malicious:false
                                Reputation:unknown
                                Preview: C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exe
                                Process:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):651776
                                Entropy (8bit):7.645296007215276
                                Encrypted:false
                                SSDEEP:12288:o0cPk+EcPRnhUVjfP+Uuf2j613ztwXUoaAE0UErHPsRIY9Zi6g6SB:JcPhEcpw+U02e13ztwXUoaAlrvsxi6aB
                                MD5:1FC9414612683FA9B525A75355706490
                                SHA1:780CEE42FFEBC33391E0A814DB98E5CF8AFFED5E
                                SHA-256:AE095EBB3FFFA75296B6DB100D55EF0DCF8E8C7EB9A0C616E0ADB732DC4EE8C9
                                SHA-512:87777CA70B286FDB5B769EFAB741A09546E68825769B381328E8DEB9321099A5315A30CBF512CACD3297BB1F7CD55983048AEB15C47862A4811BCE2A6BF4DBEB
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 36%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....yfa..............0.................. ... ....@.. .......................`............@.................................P...O.... ..(....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...(.... ......................@..@.reloc.......@......................@..B........................H........C..t{..........@....E..........................................".(.....*....0............|....(.....+..*....0...............|.....(.......(&....*...0............{....l#......o@[.+..*..0..W.........#.......?....,..#.......?...+..#............,..#.............#......o@Z.}.....(&....*..0............{.....+..*.0................}.....*....0............(....(l....+..*....0..............,.....(-.....+...(......*....0............{.....+..*.0..C...........,...(.....(.........
                                C:\Users\user\AppData\Roaming\xWvcJacCRTJ.exe:Zone.Identifier
                                Process:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:false
                                Reputation:unknown
                                Preview: [ZoneTransfer]....ZoneId=0

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.645296007215276
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:DHL AWB TRACKING DETAILS.exe
                                File size:651776
                                MD5:1fc9414612683fa9b525a75355706490
                                SHA1:780cee42ffebc33391e0a814db98e5cf8affed5e
                                SHA256:ae095ebb3fffa75296b6db100d55ef0dcf8e8c7eb9a0c616e0adb732dc4ee8c9
                                SHA512:87777ca70b286fdb5b769efab741a09546e68825769b381328e8deb9321099a5315a30cbf512cacd3297bb1f7cd55983048aeb15c47862a4811bce2a6bf4dbeb
                                SSDEEP:12288:o0cPk+EcPRnhUVjfP+Uuf2j613ztwXUoaAE0UErHPsRIY9Zi6g6SB:JcPhEcpw+U02e13ztwXUoaAlrvsxi6aB
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....yfa..............0.................. ... ....@.. .......................`............@................................

                                File Icon

                                Icon Hash:00828e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x4a04a2
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x616679B9 [Wed Oct 13 06:16:25 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa04500x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x628.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xa40000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x9e4a80x9e600False0.854562327348data7.65420629233IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0xa20000x6280x800False0.33984375data3.48748935924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xa40000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0xa20900x398data
                                RT_MANIFEST0xa24380x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Version Infos

                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyrightCopyright 2015
                                Assembly Version2.0.1.0
                                InternalNameNullReferenceExcepti.exe
                                FileVersion2.0.1.0
                                CompanyNamereblGreen Software Ltd
                                LegalTrademarks
                                Comments
                                ProductNameDimWin Brightness
                                ProductVersion2.0.1.0
                                FileDescriptionDimWin Brightness
                                OriginalFilenameNullReferenceExcepti.exe

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                10/13/21-17:08:43.476938UDP254DNS SPOOF query response with TTL of 1 min. and no authority53545318.8.8.8192.168.2.4
                                10/13/21-17:09:21.017276UDP254DNS SPOOF query response with TTL of 1 min. and no authority53492578.8.8.8192.168.2.4
                                10/13/21-17:09:39.305371UDP254DNS SPOOF query response with TTL of 1 min. and no authority53558548.8.8.8192.168.2.4
                                10/13/21-17:10:15.196557UDP254DNS SPOOF query response with TTL of 1 min. and no authority53617218.8.8.8192.168.2.4

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 13, 2021 17:08:43.506596088 CEST497637688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:08:46.503127098 CEST497637688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:08:52.503477097 CEST497637688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:09:02.294795036 CEST497787688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:09:05.301624060 CEST497787688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:09:11.302714109 CEST497787688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:09:21.019504070 CEST497837688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:09:24.021801949 CEST497837688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:09:30.037898064 CEST497837688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:09:39.306588888 CEST497927688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:09:42.320188046 CEST497927688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:09:48.320755005 CEST497927688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:09:57.878612041 CEST497947688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:10:00.884269953 CEST497947688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:10:06.900460005 CEST497947688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:10:15.201426983 CEST498237688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:10:18.204619884 CEST498237688192.168.2.4129.205.113.12
                                Oct 13, 2021 17:10:24.214833975 CEST498237688192.168.2.4129.205.113.12

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 13, 2021 17:08:43.363162041 CEST5453153192.168.2.48.8.8.8
                                Oct 13, 2021 17:08:43.476938009 CEST53545318.8.8.8192.168.2.4
                                Oct 13, 2021 17:09:02.149257898 CEST5802853192.168.2.48.8.8.8
                                Oct 13, 2021 17:09:02.165541887 CEST53580288.8.8.8192.168.2.4
                                Oct 13, 2021 17:09:20.903023958 CEST4925753192.168.2.48.8.8.8
                                Oct 13, 2021 17:09:21.017276049 CEST53492578.8.8.8192.168.2.4
                                Oct 13, 2021 17:09:39.191277981 CEST5585453192.168.2.48.8.8.8
                                Oct 13, 2021 17:09:39.305371046 CEST53558548.8.8.8192.168.2.4
                                Oct 13, 2021 17:09:57.858398914 CEST6454953192.168.2.48.8.8.8
                                Oct 13, 2021 17:09:57.876790047 CEST53645498.8.8.8192.168.2.4
                                Oct 13, 2021 17:10:15.082997084 CEST6172153192.168.2.48.8.8.8
                                Oct 13, 2021 17:10:15.196557045 CEST53617218.8.8.8192.168.2.4

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Oct 13, 2021 17:08:43.363162041 CEST192.168.2.48.8.8.80x9a24Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                Oct 13, 2021 17:09:02.149257898 CEST192.168.2.48.8.8.80xeb16Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                Oct 13, 2021 17:09:20.903023958 CEST192.168.2.48.8.8.80x23ccStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                Oct 13, 2021 17:09:39.191277981 CEST192.168.2.48.8.8.80x2224Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                Oct 13, 2021 17:09:57.858398914 CEST192.168.2.48.8.8.80x6385Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                Oct 13, 2021 17:10:15.082997084 CEST192.168.2.48.8.8.80xd0b0Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Oct 13, 2021 17:08:43.476938009 CEST8.8.8.8192.168.2.40x9a24No error (0)chinomso.duckdns.org129.205.113.12A (IP address)IN (0x0001)
                                Oct 13, 2021 17:09:02.165541887 CEST8.8.8.8192.168.2.40xeb16No error (0)chinomso.duckdns.org129.205.113.12A (IP address)IN (0x0001)
                                Oct 13, 2021 17:09:21.017276049 CEST8.8.8.8192.168.2.40x23ccNo error (0)chinomso.duckdns.org129.205.113.12A (IP address)IN (0x0001)
                                Oct 13, 2021 17:09:39.305371046 CEST8.8.8.8192.168.2.40x2224No error (0)chinomso.duckdns.org129.205.113.12A (IP address)IN (0x0001)
                                Oct 13, 2021 17:09:57.876790047 CEST8.8.8.8192.168.2.40x6385No error (0)chinomso.duckdns.org129.205.113.12A (IP address)IN (0x0001)
                                Oct 13, 2021 17:10:15.196557045 CEST8.8.8.8192.168.2.40xd0b0No error (0)chinomso.duckdns.org129.205.113.12A (IP address)IN (0x0001)

                                Code Manipulations

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: DHL AWB TRACKING DETAILS.exe PID: 2600 Parent PID: 5840

                                General

                                Start time:17:08:19
                                Start date:13/10/2021
                                Path:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe'
                                Imagebase:0xec0000
                                File size:651776 bytes
                                MD5 hash:1FC9414612683FA9B525A75355706490
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.707807684.0000000003312000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.707666257.00000000032D1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.708348717.00000000042D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Reputation:low

                                Analysis Process: schtasks.exe PID: 3228 Parent PID: 2600

                                General

                                Start time:17:08:34
                                Start date:13/10/2021
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWvcJacCRTJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpA586.tmp'
                                Imagebase:0x920000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: conhost.exe PID: 4100 Parent PID: 3228

                                General

                                Start time:17:08:35
                                Start date:13/10/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff724c50000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: DHL AWB TRACKING DETAILS.exe PID: 6228 Parent PID: 2600

                                General

                                Start time:17:08:35
                                Start date:13/10/2021
                                Path:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                Imagebase:0xa70000
                                File size:651776 bytes
                                MD5 hash:1FC9414612683FA9B525A75355706490
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.941003643.0000000003FF9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.942709422.0000000005990000.00000004.00020000.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.942404493.00000000057F0000.00000004.00020000.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.942404493.00000000057F0000.00000004.00020000.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.937316619.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.939950156.0000000002FF1000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Analysis Process: schtasks.exe PID: 6740 Parent PID: 6228

                                General

                                Start time:17:08:39
                                Start date:13/10/2021
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1FEB.tmp'
                                Imagebase:0x920000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: conhost.exe PID: 6736 Parent PID: 6740

                                General

                                Start time:17:08:39
                                Start date:13/10/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff724c50000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: schtasks.exe PID: 6756 Parent PID: 6228

                                General

                                Start time:17:08:41
                                Start date:13/10/2021
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp252C.tmp'
                                Imagebase:0x920000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: conhost.exe PID: 6656 Parent PID: 6756

                                General

                                Start time:17:08:41
                                Start date:13/10/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff724c50000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: DHL AWB TRACKING DETAILS.exe PID: 3080 Parent PID: 968

                                General

                                Start time:17:08:41
                                Start date:13/10/2021
                                Path:C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\DHL AWB TRACKING DETAILS.exe' 0
                                Imagebase:0x160000
                                File size:651776 bytes
                                MD5 hash:1FC9414612683FA9B525A75355706490
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.747751155.0000000002570000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.747672827.0000000002531000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.748402227.0000000003539000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                Analysis Process: dhcpmon.exe PID: 1692 Parent PID: 968

                                General

                                Start time:17:08:44
                                Start date:13/10/2021
                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                Imagebase:0xe60000
                                File size:651776 bytes
                                MD5 hash:1FC9414612683FA9B525A75355706490
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.753079815.0000000003310000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.752990326.00000000032D1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.754436217.00000000042D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Antivirus matches:
                                • Detection: 30%, Virustotal, Browse
                                • Detection: 36%, ReversingLabs

                                Analysis Process: dhcpmon.exe PID: 3480 Parent PID: 3424

                                General

                                Start time:17:08:50
                                Start date:13/10/2021
                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                Imagebase:0x490000
                                File size:651776 bytes
                                MD5 hash:1FC9414612683FA9B525A75355706490
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000C.00000002.763527582.0000000002931000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000C.00000002.763599855.0000000002970000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.764189899.0000000003939000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                Disassembly

                                Code Analysis

                                Reset < >