Analysis Report Consignment Document PL&BL Draft.exe

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Avira: detection malicious, Label: HEUR/AGEN.1101060
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Found malware configuration

Source: Icda.exe.6888.3.memstr	Malware Configuration Extractor: NanoCore {"C2: ": ["172.94.25.202"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Source: Fdquqwatjjr.exe.7032.5.memstr	Malware Configuration Extractor: Agenttesla {"Username: ": "gfumyAo", "URL: ": "https://dh2LZPEqfQO.net", "To: ": "mebarth@flood-protection.org", "ByHost: ": "mail.flood-protection.org:587", "Password: ": "932mpxGhMO2", "From: ": "sent@flood-protection.org"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 93%
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	ReversingLabs: Detection: 93%
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: Consignment Document PL&BL Draft.exe

Virustotal: Detection: 21%

Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY
Source: Yara match	File source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Consignment Document PL&BL Draft.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 17.0.dhcpmon.exe.c80000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.VLC2.exe.900000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 3.2.Icda.exe.a40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.VLC2.exe.a0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 3.0.Icda.exe.a40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.2.Icda.exe.5970000.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 14.2.VLC2.exe.900000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.2.VLC2.exe.a0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.0.Isgeprf.exe.710000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 17.2.dhcpmon.exe.c80000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.Isgeprf.exe.710000.0.unpack	Avira: Label: TR/Dropper.Gen

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49739 -> 85.187.154.178:587

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 85.187.154.178:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 85.187.154.178 85.187.154.178

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: A2HOSTINGUS A2HOSTINGUS

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 85.187.154.178:587

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: centurygift.myq-see.com

Urls found in memory or binary data

Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: http://EAXDhR.com
Source: Fdquqwatjjr.exe, 00000005.00000002.492360953.0000000002C08000.00000004.00000001.sdmp	String found in binary or memory: http://flood-protection.org
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Fdquqwatjjr.exe, 00000005.00000002.492360953.0000000002C08000.00000004.00000001.sdmp	String found in binary or memory: http://mail.flood-protection.org
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234335225.0000000003011000.00000004.00000001.sdmp, Isgeprf.exe, 00000004.00000002.263961602.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: Rczgwoxvqzh.exe, 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000000.243567239.00000000004E2000.00000002.00020000.sdmp, Fdquqwatjjr.exe.2.dr	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.492360953.0000000002C08000.00000004.00000001.sdmp	String found in binary or memory: https://dh2LZPEqfQO.net
Source: Rczgwoxvqzh.exe, 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, Fdquqwatjjr.exe, Fdquqwatjjr.exe.2.dr	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Source: Yara match	File source: 00000004.00000000.242716308.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.483926024.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263991887.0000000002BB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.271847625.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.283204276.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.266244520.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263102745.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Isgeprf.exe PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rczgwoxvqzh.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6228, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6008, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VLC2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe, type: DROPPED
Source: Yara match	File source: 14.0.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE

Installs a raw input device (often for capturing keystrokes)

Source: Icda.exe, 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY
Source: Yara match	File source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.493993810.00000000056D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Icda.exe.56d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Consignment Document PL&BL Draft.exe

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_0529131A NtQuerySystemInformation,		3_2_0529131A
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_052912DF NtQuerySystemInformation,		3_2_052912DF

Detected potential crypto function

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 0_2_015EC0F4		0_2_015EC0F4
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 0_2_015EE538		0_2_015EE538
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 0_2_015EE528		0_2_015EE528
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 0_2_076D0040		0_2_076D0040
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_0167E408		1_2_0167E408
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_0167E418		1_2_0167E418
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_0167B7BC		1_2_0167B7BC
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_00A4524A		3_2_00A4524A
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_0523B068		3_2_0523B068
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_05233850		3_2_05233850
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_052323A0		3_2_052323A0
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_05232FA8		3_2_05232FA8
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_05238798		3_2_05238798
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_0523306F		3_2_0523306F
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_0523945F		3_2_0523945F
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_05239398		3_2_05239398
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_004E2296		5_2_004E2296
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A16070		5_2_00A16070
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A17078		5_2_00A17078
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A1085D		5_2_00A1085D
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A15698		5_2_00A15698
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A133E0		5_2_00A133E0
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A19FC8		5_2_00A19FC8
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A1EB00		5_2_00A1EB00
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A16F80		5_2_00A16F80
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_026D46A0		5_2_026D46A0
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_026D45B0		5_2_026D45B0
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_026DD2E1		5_2_026DD2E1
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_05A67538		5_2_05A67538
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_05A66C68		5_2_05A66C68
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_05A66920		5_2_05A66920
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_05A690F8		5_2_05A690F8

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 9589565F7BEB6DCCFE4F8424455271BBF810182EA94DACBC8C081577E34A51E1
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe C0791632452FD17FDB08B4241AD7B6F5AAF1AF6190861301135EF3631F4B4020
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Icda.exe 9589565F7BEB6DCCFE4F8424455271BBF810182EA94DACBC8C081577E34A51E1
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Isgeprf.exe 488C59FDDF2DB00DA7FB4D6589183ADC7396EDC4233F23EB950AA7191FE4366E
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe 97A5CAB2336F3B81F82D7EC85B2F0937CE39D10E512BF0BDADE9248D6D1BC682

PE file contains strange resources

Source: Consignment Document PL&BL Draft.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Consignment Document PL&BL Draft.exe	Binary or memory string: OriginalFilename vs Consignment Document PL&BL Draft.exe
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename3in1.exe4 vs Consignment Document PL&BL Draft.exe
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234335225.0000000003011000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs Consignment Document PL&BL Draft.exe
Source: Consignment Document PL&BL Draft.exe	Binary or memory string: OriginalFilename vs Consignment Document PL&BL Draft.exe
Source: Consignment Document PL&BL Draft.exe, 00000001.00000002.243408659.00000000031A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVLC22.exe4 vs Consignment Document PL&BL Draft.exe
Source: Consignment Document PL&BL Draft.exe, 00000001.00000002.240881218.000000000044A000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename3in1.exe4 vs Consignment Document PL&BL Draft.exe
Source: Consignment Document PL&BL Draft.exe	Binary or memory string: OriginalFilename vs Consignment Document PL&BL Draft.exe

Yara signature match

Source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.493993810.00000000056D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.493993810.00000000056D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Icda.exe.56d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Icda.exe.56d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: Consignment Document PL&BL Draft.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Rczgwoxvqzh.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Source: Icda.exe.1.dr	Static PE information: Section: .rsrc ZLIB complexity 0.99953125
Source: dhcpmon.exe.3.dr	Static PE information: Section: .rsrc ZLIB complexity 0.99953125

.NET source code contains calls to encryption/decryption functions

Source: Icda.exe.1.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Icda.exe.1.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Icda.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.3.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.3.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.3.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

.NET source code contains long base64-encoded strings

Source: Isgeprf.exe.2.dr, Client/Settings.cs

Base64 encoded string: 'Nw1gtYqph0wLf4EXfBAJrH13qgT+guhDJrXnvIW+nyGiHgFnrWIVAVu+8pH2/eNsYPgHWB8yrlojcqOT7NUTHA==', 'uVc1tfiTCefsUt1aAeD+CBRJeU/+t9XadzdMMojJf1QAWGDpYh4K5FgT4Np/5j/ObtZPu0Q+8Is6xYyKJ8H+kppYMXkCHQg1DfQS6lcdHsw=', 'hB9frLvaIqvykz6iknlNjnH13y6iI0FI9B46TAb7ves0qOkf9TUsZX9LS+My5+FF4RFPAVcY90ENqkxjxbAhhw==', 'p0fhD58xJ4CrL6CmIoTtkCGx9oXDd7a7H3Pjstxalpcn0/sYBbmJUs73TCckU+b0DPBY4FYQa/FvDvp6q77sf9rwUrUjZAXfNl7g9IHUA8M=', 'XKIB3EO4GfPyDFEhS9sxDEhzvvJJ1fkcfKzxZz71Jdkn6hiqo4k2LP5FIuGQUOUgNDNySPWv7SlnarnvL3qN10qpqpBm2DvL8L1Y3INOvpaW3GiDoMan+dzWdXKvfBvvFd2FqT1mf+7I8xvfTuLKiUoGuQ308Czc5rgXqvyRL8DbDpOhedN0isvriO67V+rkVWrT3eb6tMcSWfR1Rf1UgEvnShP8Z5MEGFBLXrZTyux5PDtLgoUANx2wQm3dEeW27pKE737Jc918BnxduVMyw159hW/FoGvCBopaQxGjn0dq0wXL7f3UQuz2hrNYyQVejjwSlW/+pK4JZbqkwcIPKbgUoVfdYZZjCXaE8Tkm6sRQen+r2ieaJlqU//3wpOXTq3pfjk7QLV6Lgmp47mB2f37nki7JvQ0SP6lNMt4aHl83plNeiRAC7EWBQp4oA7PANn+O1yA+kC4GDlV2Df7b468bCiY2oPssmNL+DKm/01PDKQ10z8CfEMr4gmls+Er0A9wbipcoDoDKALpXjqeQgj8oOR+nUC4UA0uI+bE2q8pqrNTkGsRdW794kbxJOp01utvOosMgXTdV0diKJ7cWtZIruE4E7atczDA9Wng/fOyUe4PVVpLjTYY6mcHGbit2RP1nempHvRZtM4drqJIpqwUkmM6M0T1YA2hlpvDwHZZ988GyKgp468yG3//dwdnNALmeRiZqAI/H9BkBip1kq4WBhHILIk8wH29+hVu4bjTq5V/bhWjxOaGpox6rZuV5O5OM48Cn7kFGxGk+bdYGIFkctESVmHQRcrkPA0CiKh8kssHtDeSDsCqStaFeqH1fsOX05GYBA4G6mpNLh7w+Cim83x/4CCdKszW2yAwhdMVUEvUDTLYNOxnN5+92RTlXFWLeDl0PbSyeZRjYjQyvsxQndZ5j1MFbj6aVVoBhJ/ji5UEJCxndIowYjG3voIHi8cFE0y2M4v6MAGcu8KFKeXFkt4NmNeaXXfBABENVFRTHEYBI9lIqbHQDY4dE+r3vRBHpTqJZ3UjbC2IRracsnVtSgiDPGzOQqV3sRoueTQf9M1pdEaMkWuQ9UQJz3TZ9goZLgVY7YIhd1w/o1ursdvN899B/cnZE65jfbS07Bhf3rG2V0oJ3vM0OIfvDDJ+LSbYiTWSFMxITAANsaVR2OXbNnvSqwOub6JpcImVbfoyATGv2Yp238mPgzZVbrGoWZo9LkVQhxcTV+dRn7ngwh2eyPJnvVnLGzKHzRtCo3JIJGjoxdCapAlZDQ6FpQ5U040WFm65ezDdoEnjRGpwLAzqXXQCMeS5dkec+L/qFIxBYFKY4oUtbkJA+puMKIwAfokBPCUvtabAR06h/eOG+KN8JSZZaw4qCxpg8Lm19GyNO/0QzG9gZhKzQDHy1LRgUGUgfZsnma67eRd1kGEltAVLfh8sxhCZGsVOG+J8zJUupy7nDtkscPOS9Owk99SnpLCbnuSaZsILOT7zew5IUfHLqxCF68h5RBe6KIz1sfspxdoPhy1ApGxa/dXeciqYdf6fblZ0OqKuy5SDLzrFZm6TNxJz4Rjdy2ogngJkrvLxyJqjmFhUzjwRbnkBgUtbWc5mTUk6orwMZocI1PSyI6cV6dkk5vWaC0Or7S0YnIh4Lljvk3n6wZWUUNCuTMVok7tEX3QVz0P9cq/B+JqHvK6IMW+8625tiE9BBiD+aOsbR5arCl3lWaIh4dbfGF8l5CwELZR8xtZINQDO9dUjVtA24z7xaSnuc+EUMmWzeD50WjkIg3fD8Sy0cg1ZOne7ii8fT5dEYN4vcoNU36oqK2WeM7jGqUd8iH0dJupYQmrlyqxKrUJJ9zEW/xykCRpZpFFnbnsgKeOQmQ67thY+2qYgNCCSxHMoKcCc2g6e0tgqbricINUKh/kxKZKhxrnW12YsxxURnnmy0pwr/KoR9tP9it1k+7dlkiCkDKfo4nhF33cE3zfptb0J4TpUWqTYo1Fy9hC6u+KP7K9tquClJ8Md6syTJnXYx46GlMjK57mQdC40Pnc0UbJZwklgJbnxBjEWF3CTP3im/8HsacBVK0hnk6xOkm8AwCCjyuHANKI4Ne+8oOn9bU9MZXwyb2jN6ALAJlqWyBNHdBRh+RYLCXHODCVaKvwiWQT17v1KTnKakmdG8lL8Z/HKJ/LM5aG5RjRC+G4yEtqakKiHBaAZp6vQPBwJN+0jocQfAbYZeJeAMnn2WiM32Py/4mJbU9fiohhWvfkIO4FKz6r/o+scNgzXJ4RAIl8abuIO/K9si9udpahwpBw0imxDQ5G+nouhfKfUJjY1V+GlQ1yuamNoEAtx/eZg+zxz/DOnV3RSj9pw=', 'xxylxPRRUDGoeLCh79doFks73rkjhjUNySQ5ZO74MLBY+NvsEmayZOD5ufvPUkN3nPaSP4Qj9mF917TtveQLcw==', 'h4JAH4YAbXw1lKuOZo7dDI2BxqPULh0MyemNhxHcqcLPzQu3RAeFFjFHQVzOOMSd050FmtunFZv4cfV9I1RsZA=='

.NET source code contains many API calls related to security

Source: 3.0.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.0.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.3.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.3.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Icda.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Icda.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Isgeprf.exe.2.dr, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Isgeprf.exe.2.dr, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/14@13/2

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_052910DA AdjustTokenPrivileges,		3_2_052910DA
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_052910A3 AdjustTokenPrivileges,		3_2_052910A3

Creates files inside the program directory

Source: C:\Users\user\AppData\Local\Temp\Icda.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Consignment Document PL&BL Draft.exe.log

Jump to behavior

Creates mutexes

Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{a60f1e04-b281-49b0-9733-22b28c2ea6d7}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_01

Creates temporary files

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

File created: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe

Jump to behavior

Executes batch files

Source: unknown

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpA04.tmp.bat''

PE file has an executable .text section and no other executable section

Source: Consignment Document PL&BL Draft.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Queries process information (via WMI, Win32_Process)

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Reads ini files

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	File read: C:\Windows\System32\drivers\etc\hosts

Sample is known by Antivirus

Source: Consignment Document PL&BL Draft.exe

Virustotal: Detection: 21%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe 'C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe 'C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Icda.exe 'C:\Users\user\AppData\Local\Temp\Icda.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Isgeprf.exe 'C:\Users\user\AppData\Local\Temp\Isgeprf.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe 'C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe'' & exit
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpA04.tmp.bat''
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe''
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\VLC2.exe C:\Users\user\AppData\Local\Temp\VLC2.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\VLC2.exe 'C:\Users\user\AppData\Local\Temp\VLC2.exe'
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process created: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe {path}			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process created: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe 'C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe'			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process created: C:\Users\user\AppData\Local\Temp\Icda.exe 'C:\Users\user\AppData\Local\Temp\Icda.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process created: C:\Users\user\AppData\Local\Temp\Isgeprf.exe 'C:\Users\user\AppData\Local\Temp\Isgeprf.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process created: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe 'C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe'' & exit			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpA04.tmp.bat''			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe''
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\VLC2.exe 'C:\Users\user\AppData\Local\Temp\VLC2.exe'

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

PE file contains a COM descriptor data directory

Source: Consignment Document PL&BL Draft.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Uses new MSVCR Dlls

Source: C:\Users\user\AppData\Local\Temp\Icda.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Consignment Document PL&BL Draft.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: Icda.exe, 00000003.00000002.488044286.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: Icda.exe, 00000003.00000002.493930043.0000000005670000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe

Unpacked PE file: 2.2.Rczgwoxvqzh.exe.c00000.0.unpack

.NET source code contains potential unpacker

Source: Consignment Document PL&BL Draft.exe, telaPrincipal.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Consignment Document PL&BL Draft.exe.ba0000.0.unpack, telaPrincipal.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Icda.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Icda.exe.1.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Consignment Document PL&BL Draft.exe.c70000.1.unpack, telaPrincipal.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Consignment Document PL&BL Draft.exe.c70000.0.unpack, telaPrincipal.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.3.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.3.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Icda.exe.a40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 0_2_00BA5286 push es; retf		0_2_00BA5288
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_00C75286 push es; retf		1_2_00C75288
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_016786A2 pushfd ; iretd		1_2_016786C5
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_0167FA42 pushfd ; iretd		1_2_0167FA49
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_05786BF7 push E801005Eh; retf		1_2_05786C01
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Code function: 4_2_00714122 push eax; ret		4_2_0071412C
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Code function: 4_2_00712A66 push 0000003Eh; retn 0000h		4_2_00712DC0
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Code function: 4_2_00712F81 push eax; ret		4_2_00712F95

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.86672838882
Source: initial sample	Static PE information: section name: .text entropy: 7.98388170142

.NET source code contains many randomly named methods

Source: Icda.exe.1.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: Icda.exe.1.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.3.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.3.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.0.Icda.exe.a40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.0.Icda.exe.a40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	File created: C:\Users\user\AppData\Local\Temp\Icda.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	File created: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	File created: C:\Users\user\AppData\Local\Temp\VLC2.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	File created: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	File created: C:\Users\user\AppData\Local\Temp\Isgeprf.exe			Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Source: Yara match	File source: 00000004.00000000.242716308.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.483926024.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263991887.0000000002BB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.271847625.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.283204276.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.266244520.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263102745.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Isgeprf.exe PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rczgwoxvqzh.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6228, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6008, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VLC2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe, type: DROPPED
Source: Yara match	File source: 14.0.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe''

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\Icda.exe

File opened: C:\Users\user\AppData\Local\Temp\Icda.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.234335225.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Consignment Document PL&BL Draft.exe PID: 6620, type: MEMORY

Yara detected AsyncRAT

Source: Yara match	File source: 00000004.00000000.242716308.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.483926024.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263991887.0000000002BB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.271847625.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.283204276.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.266244520.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263102745.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Isgeprf.exe PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rczgwoxvqzh.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6228, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6008, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VLC2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe, type: DROPPED
Source: Yara match	File source: 14.0.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, Isgeprf.exe, VLC2.exe, 0000000E.00000002.483926024.0000000000902000.00000002.00020000.sdmp, VLC2.exe, 00000010.00000000.271847625.00000000000A2000.00000002.00020000.sdmp, Isgeprf.exe.2.dr	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe

Code function: 5_2_004E4BA0 sldt word ptr [eax]

5_2_004E4BA0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Window / User API: threadDelayed 452			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Window / User API: threadDelayed 1246			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Window / User API: threadDelayed 546			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Window / User API: threadDelayed 699			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Window / User API: foregroundWindowGot 832			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Window / User API: threadDelayed 2872
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Window / User API: threadDelayed 6971

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe TID: 6784	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe TID: 6624	Thread sleep time: -41500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe TID: 6788	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe TID: 6824	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe TID: 6900	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe TID: 6984	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe TID: 6972	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe TID: 7048	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe TID: 6396	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe TID: 6400	Thread sleep count: 2872 > 30
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe TID: 6400	Thread sleep count: 6971 > 30
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe TID: 6448	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6496	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Checks the free space of harddrives

Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	File Volume queried: C:\ FullSizeInformation

Contains functionality to query system information

Source: C:\Users\user\AppData\Local\Temp\Icda.exe

Code function: 3_2_05290D66 GetSystemInfo,

3_2_05290D66

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Icda.exe, 00000003.00000002.494518000.00000000065E0000.00000002.00000001.sdmp, Isgeprf.exe, 00000004.00000002.267457724.00000000052C0000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.495442454.0000000005900000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.494496278.0000000005730000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Isgeprf.exe.2.dr	Binary or memory string: vmware
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Fdquqwatjjr.exe, 00000005.00000003.451596278.0000000000C6F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: Consignment Document PL&BL Draft.exe, 00000001.00000002.242325394.00000000012F3000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Icda.exe, 00000003.00000002.486203101.00000000011FE000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllwH?
Source: Icda.exe, 00000003.00000002.486203101.00000000011FE000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWh
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Icda.exe, 00000003.00000002.494518000.00000000065E0000.00000002.00000001.sdmp, Isgeprf.exe, 00000004.00000002.267457724.00000000052C0000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.495442454.0000000005900000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.494496278.0000000005730000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Icda.exe, 00000003.00000002.494518000.00000000065E0000.00000002.00000001.sdmp, Isgeprf.exe, 00000004.00000002.267457724.00000000052C0000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.495442454.0000000005900000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.494496278.0000000005730000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: VLC2.exe, 0000000E.00000002.486402924.00000000010F0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`a
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: Icda.exe, 00000003.00000002.494518000.00000000065E0000.00000002.00000001.sdmp, Isgeprf.exe, 00000004.00000002.267457724.00000000052C0000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.495442454.0000000005900000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.494496278.0000000005730000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\AppData\Local\Temp\Icda.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process created: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe {path}			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process created: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe 'C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe'			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process created: C:\Users\user\AppData\Local\Temp\Icda.exe 'C:\Users\user\AppData\Local\Temp\Icda.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process created: C:\Users\user\AppData\Local\Temp\Isgeprf.exe 'C:\Users\user\AppData\Local\Temp\Isgeprf.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process created: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe 'C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe'' & exit			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpA04.tmp.bat''			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe''
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\VLC2.exe 'C:\Users\user\AppData\Local\Temp\VLC2.exe'

May try to detect the Windows Explorer process (often used for injection)

Source: Icda.exe, 00000003.00000002.486203101.00000000011FE000.00000004.00000020.sdmp	Binary or memory string: GrProgram Manager
Source: Icda.exe, 00000003.00000002.492076127.0000000003396000.00000004.00000001.sdmp	Binary or memory string: Program Manager#
Source: Icda.exe, 00000003.00000002.491052946.0000000003218000.00000004.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.488601298.00000000011B0000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.487373779.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Icda.exe, 00000003.00000002.487069083.0000000001760000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.488601298.00000000011B0000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.487373779.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Icda.exe, 00000003.00000002.487069083.0000000001760000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.488601298.00000000011B0000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.487373779.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Icda.exe, 00000003.00000002.487069083.0000000001760000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.488601298.00000000011B0000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.487373779.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Icda.exe, 00000003.00000002.491052946.0000000003218000.00000004.00000001.sdmp	Binary or memory string: Program Manager

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Isgeprf.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\VLC2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\VLC2.exe VolumeInformation

Contains functionality to query the account / user name

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe

Code function: 5_2_05A62654 GetUserNameW,

5_2_05A62654

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Source: Yara match	File source: 00000004.00000000.242716308.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.483926024.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263991887.0000000002BB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.271847625.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.283204276.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.266244520.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263102745.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Isgeprf.exe PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rczgwoxvqzh.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6228, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6008, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VLC2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe, type: DROPPED
Source: Yara match	File source: 14.0.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.243567239.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.483921714.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.245444705.0000000012EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rczgwoxvqzh.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fdquqwatjjr.exe PID: 7032, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe, type: DROPPED
Source: Yara match	File source: 5.0.Fdquqwatjjr.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Fdquqwatjjr.exe.4e0000.0.unpack, type: UNPACKEDPE

Yara detected Nanocore RAT

Source: Yara match	File source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY
Source: Yara match	File source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fdquqwatjjr.exe PID: 7032, type: MEMORY

Remote Access Functionality:

Detected Nanocore Rat

Source: Icda.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: Icda.exe, 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Icda.exe.1.dr	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.243567239.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.483921714.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.245444705.0000000012EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rczgwoxvqzh.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fdquqwatjjr.exe PID: 7032, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe, type: DROPPED
Source: Yara match	File source: 5.0.Fdquqwatjjr.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Fdquqwatjjr.exe.4e0000.0.unpack, type: UNPACKEDPE

Yara detected Nanocore RAT

Source: Yara match	File source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY
Source: Yara match	File source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_05292546 bind,		3_2_05292546
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_05292523 bind,		3_2_05292523