Loading ...

Play interactive tourEdit tour

Analysis Report Shipping Documents Original BL, Invoice & Pa.exe

Overview

General Information

Sample Name:Shipping Documents Original BL, Invoice & Pa.exe
Analysis ID:403743
MD5:597332734fde92068c7b354d33920040
SHA1:01454e8c59644ab0dd54d2326a93965a1f52b91c
SHA256:d9510122ef15d475c69ca539c949d4b8c8002b8f617411854098091106c37119
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

DLL reload attack detected
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Shipping Documents Original BL, Invoice & Pa.exe (PID: 5476 cmdline: 'C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe' MD5: 597332734FDE92068C7B354D33920040)
    • MSBuild.exe (PID: 6100 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
      • schtasks.exe (PID: 5836 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7B35.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 2900 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp823B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MSBuild.exe (PID: 4472 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0 MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5608 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 3880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6108 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "692d457c-2b26-4af6-a5f8-088a1838", "Group": "Default", "Domain1": "", "Domain2": "172.93.166.26", "Port": 4090, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x120225:$a: NanoCore
    • 0x120235:$a: NanoCore
    • 0x120469:$a: NanoCore
    • 0x12047d:$a: NanoCore
    • 0x1204bd:$a: NanoCore
    • 0x152c45:$a: NanoCore
    • 0x152c55:$a: NanoCore
    • 0x152e89:$a: NanoCore
    • 0x152e9d:$a: NanoCore
    • 0x152edd:$a: NanoCore
    • 0x120284:$b: ClientPlugin
    • 0x120486:$b: ClientPlugin
    • 0x1204c6:$b: ClientPlugin
    • 0x152ca4:$b: ClientPlugin
    • 0x152ea6:$b: ClientPlugin
    • 0x152ee6:$b: ClientPlugin
    • 0x1203ab:$c: ProjectData
    • 0x152dcb:$c: ProjectData
    • 0x27320e:$c: ProjectData
    • 0x2f4e2e:$c: ProjectData
    • 0x120db2:$d: DESCrypto
    00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1204bd:$x1: NanoCore.ClientPluginHost
    • 0x152edd:$x1: NanoCore.ClientPluginHost
    • 0x1204fa:$x2: IClientNetworkHost
    • 0x152f1a:$x2: IClientNetworkHost
    • 0x12402d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x156a4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmpNanocoredetect Nanocore in memoryJPCERT/CC Incident Response Group
    • 0x120225:$v1: NanoCore Client
    • 0x120235:$v1: NanoCore Client
    • 0x152c45:$v1: NanoCore Client
    • 0x152c55:$v1: NanoCore Client
    • 0x121af6:$v2: PluginCommand
    • 0x154516:$v2: PluginCommand
    • 0x121ade:$v3: CommandType
    • 0x1544fe:$v3: CommandType
    00000000.00000002.248107132.000000000286C000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Click to see the 5 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.unpackNanocoredetect Nanocore in memoryJPCERT/CC Incident Response Group
        • 0xe0f5:$v1: NanoCore Client
        • 0xe105:$v1: NanoCore Client
        • 0xf9c6:$v2: PluginCommand
        • 0xf9ae:$v3: CommandType
        0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 3 entries

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          System Summary:

          barindex
          Sigma detected: System File Execution Location AnomalyShow sources
          Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7B35.tmp', ParentImage: C:\Windows\SysWOW64\schtasks.exe, ParentProcessId: 5836, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5936
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe' , ParentImage: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe, ParentProcessId: 5476, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6100

          Persistence and Installation Behavior:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7B35.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7B35.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 6100, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7B35.tmp', ProcessId: 5836

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "692d457c-2b26-4af6-a5f8-088a1838", "Group": "Default", "Domain1": "", "Domain2": "172.93.166.26", "Port": 4090, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5476, type: MEMORY
          Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Shipping Documents Original BL, Invoice & Pa.exeJoe Sandbox ML: detected
          Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: dhcpmon.exe, 0000000D.00000002.267852932.0000000000292000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.270641668.0000000000632000.00000002.00020000.sdmp, dhcpmon.exe.4.dr
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B25B6A8
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B25DB00
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B25DA40
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B25CF48
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B25DC88

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49715 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49718 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49722 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49725 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49731 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49732 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49738 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49739 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49742 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49744 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49746 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49747 -> 172.93.166.26:4090
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49748 -> 172.93.166.26:4090
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs:
          Source: Malware configuration extractorURLs: 172.93.166.26
          Source: Joe Sandbox ViewASN Name: GLOBALCOMPASSUS GLOBALCOMPASSUS
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 104.43.193.48
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 104.43.193.48
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.134
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.247806528.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.227001843.000000000599D000.00000004.00000001.sdmp, Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.227389833.000000000599C000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Shipping Documents Original BL, Invoice & Pa.exeString found in binary or memory: http://www.churchsw.org/church-projector-project
          Source: Shipping Documents Original BL, Invoice & Pa.exeString found in binary or memory: http://www.churchsw.org/repository/Bibles/
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.228607607.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.229567693.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlHF
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.230334241.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers1
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.230871223.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers4H
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.230417808.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.229630102.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersO
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.229108295.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersQ
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.229184999.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.228660088.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260477736.0000000005965000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260477736.0000000005965000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260477736.0000000005965000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueta
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.225381513.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.225329902.000000000598E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.225381513.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnhu
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.231986581.0000000005991000.00000004.00000001.sdmp, Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.231765863.0000000005991000.00000004.00000001.sdmp, Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.226622852.0000000005969000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.226622852.0000000005969000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//uV
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.226622852.0000000005969000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ku
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.226622852.0000000005969000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.226622852.0000000005969000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/lu
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.226622852.0000000005969000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0r
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.226622852.0000000005969000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/du
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.226622852.0000000005969000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.226622852.0000000005969000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Yu
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.226080749.0000000005964000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lu
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.226622852.0000000005969000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ru
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.225374998.000000000598E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com1
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260525380.0000000005A50000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.248107132.000000000286C000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
          Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49675
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49680
          Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.246862196.00000000009EB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5476, type: MEMORY
          Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5476, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5476, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5476, type: MEMORYMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Shipping Documents Original BL, Invoice & Pa.exe
          Source: initial sampleStatic PE information: Filename: Shipping Documents Original BL, Invoice & Pa.exe
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0270B2640_2_0270B264
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0270C2B00_2_0270C2B0
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_027099900_2_02709990
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0270DF730_2_0270DF73
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BA8000_2_088BA800
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BBB480_2_088BBB48
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088B00400_2_088B0040
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BB3A80_2_088BB3A8
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BD3D00_2_088BD3D0
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088B84400_2_088B8440
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BC5080_2_088BC508
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BF9900_2_088BF990
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BF9A00_2_088BF9A0
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BBB380_2_088BBB38
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BEE800_2_088BEE80
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BEE720_2_088BEE72
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088B91A00_2_088B91A0
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BB2E40_2_088BB2E4
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088B32500_2_088B3250
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BD3A60_2_088BD3A6
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BB3020_2_088BB302
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BF4A80_2_088BF4A8
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BF4B80_2_088BF4B8
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BC4F80_2_088BC4F8
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BF6C80_2_088BF6C8
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BF6D80_2_088BF6D8
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_088BA7F00_2_088BA7F0
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0B2500400_2_0B250040
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0B25C0E00_2_0B25C0E0
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0B25AC980_2_0B25AC98
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0B250B280_2_0B250B28
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0B250A910_2_0B250A91
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0B2569DF0_2_0B2569DF
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0B2500060_2_0B250006
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0B254FE10_2_0B254FE1
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0B254FF00_2_0B254FF0
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0B25546F0_2_0B25546F
          Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0B2554800_2_0B255480
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0174214810_2_01742148
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0174400010_2_01744000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01745CF910_2_01745CF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_017418C010_2_017418C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01744A2010_2_01744A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0174213310_2_01742133
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00DA51F915_2_00DA51F9
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00DA237015_2_00DA2370
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00DA1A2F15_2_00DA1A2F
          Source: dhcpmon.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: dhcpmon.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: dhcpmon.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.260326707.0000000005870000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameIEFRAME.DLLD vs Shipping Documents Original BL, Invoice & Pa.exe
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.247908876.0000000002837000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs Shipping Documents Original BL, Invoice & Pa.exe
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Shipping Documents Original BL, Invoice & Pa.exe
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.264266162.0000000008780000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Shipping Documents Original BL, Invoice & Pa.exe
          Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.246862196.00000000009EB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Shipping Documents Original BL, Invoice & Pa.exe
          Source: Shipping Documents Original BL, Invoice & Pa.exeBinary or memory string: OriginalFilenameIAPPIDAUTHORITYAREREFERENCESEQUALFLAGS.exeB vs Shipping Documents Original BL, Invoice & Pa.exe
          Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.255085940.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5476, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5476, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5476, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3909330.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
          Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.4.dr, Microsoft.Build/CommandLine/OutOfProcTaskHostNode.csTask registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
          Source: dhcpmon.exe.4.dr, Microsoft.Build/Shared/TaskLoader.csTask registration methods: 'CreateTask'
          Source: dhcpmon.exe.4.dr, Microsoft.Build/BackEnd/TaskParameter.csTask registration methods: 'CreateNewTaskItemFrom'
          Source: dhcpmon.exe.4.dr, Microsoft.Build/Shared/RegisteredTaskObjectCacheBase.csTask registration methods: '.cctor', 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', '.ctor', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
          Source: dhcpmon.exe.4.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: dhcpmon.exe.4.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 13.2.dhcpmon.exe.290000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 13.2.dhcpmon.exe.290000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 15.2.dhcpmon.exe.630000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 15.2.dhcpmon.exe.630000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
          Source: 15.2.dhcpmon.exe.630000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
          Source: 15.2.dhcpmon.exe.630000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 15.2.dhcpmon.exe.630000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 13.0.dhcpmon.exe.290000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 13.0.dhcpmon.exe.290000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: dhcpmon.exe.4.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()