Windows Analysis Report INVOICE = 212888585 .xlsx

Overview

General Information

Sample Name:	INVOICE = 212888585 .xlsx
Analysis ID:	483709
MD5:	145e00853b80fb2d97676c4416f984a9
SHA1:	fa80c59ebbafc435e88ffdceae00450b56ec5d48
SHA256:	e9c342550d334bffc58a310997673e24eed03f4d2b9c441dec943b24e7d29d08
Tags:	xlsx
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Office equation editor drops PE file

.NET source code contains very large strings

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Office Equation Editor has been started

Binary contains a suspicious time stamp

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "9ed8d108-2eb1-4e23-9679-783796e4", "Group": "Default", "Domain1": "godisgood1.hopto.org", "Domain2": "", "Port": 7712, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Source: INVOICE = 212888585 .xlsx	Virustotal: Detection: 42%			Perma Link
Source: INVOICE = 212888585 .xlsx	ReversingLabs: Detection: 50%

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Roaming\ALP.exe	ReversingLabs: Detection: 30%

Yara detected Nanocore RAT

Source: Yara match	File source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.ALP.exe.3320184.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.smtpsvc.exe.3590184.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.ALP.exe.33247ad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.3280184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ALP.exe.6c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.ALP.exe.3320184.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.smtpsvc.exe.3590184.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ALP.exe.3480184.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.smtpsvc.exe.35947ad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.32847ad.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ALP.exe.34847ad.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ALP.exe.6c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.smtpsvc.exe.3280184.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ALP.exe.6c4629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ALP.exe.3480184.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.522978296.00000000022D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.525186411.0000000002541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.528229678.0000000003239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.691609233.0000000002431000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ALP.exe PID: 1212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 344, type: MEMORYSTR

Machine Learning detection for sample

Source: INVOICE = 212888585 .xlsx

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ALP.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.ALP.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 17.2.smtpsvc.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.ALP.exe.6c0000.3.unpack	Avira: Label: TR/NanoCore.fadte
Source: 16.2.smtpsvc.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.2.ALP.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\ALP.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\ALP.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: ALP.exe, 00000004.00000002.690979593.0000000000820000.00000004.00020000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ALP.exe, 00000004.00000002.690948278.00000000007C0000.00000004.00020000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ALP.exe, 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ALP.exe, 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp

Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_0072C8F6
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_0072C890
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	4_2_0072C880
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_00729EC8

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49166 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49167 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49168 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49169 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49179 -> 103.147.184.84:7712
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49180 -> 103.147.184.84:7712

Source: Malware configuration extractor	URLs: godisgood1.hopto.org
Source: Malware configuration extractor	URLs:

Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: Joe Sandbox View	ASN Name: WORLDSTREAMNL WORLDSTREAMNL

Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.96

Source: ALP.exe, 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmp	String found in binary or memory: http://google.com
Source: ALP.exe, 00000004.00000002.695025168.0000000005880000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.690337039.0000000001C70000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: ALP.exe, 00000004.00000002.695025168.0000000005880000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.690337039.0000000001C70000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA

Source: 16.2.smtpsvc.exe.2564e04.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.smtpsvc.exe.358b34e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.376af3e.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.376af3e.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.3601ae8.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.8a0000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.21d0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.3753cdf.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.230e8a4.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.ALP.exe.3320184.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.790000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.327b34e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.smtpsvc.exe.3590184.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.ALP.exe.3318cc8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.820000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.3753cdf.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.3753cdf.31.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.ALP.exe.33247ad.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.ALP.exe.34f8cc8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.24b88bc.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.3601ae8.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.7c0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.8b0000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.2304c9f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.24ac674.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.24ac674.23.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.820000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.8c0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.24b88bc.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.24b88bc.22.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.3606787.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.3280184.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.6c0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.780000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.21b0000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.smtpsvc.exe.3338cc8.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.ALP.exe.3320184.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.2300000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.8c0000.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.smtpsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.790000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.8a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.smtpsvc.exe.3590184.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.3480184.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.780000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.ALP.exe.22f4d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.ALP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.smtpsvc.exe.35947ad.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.361038c.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.32847ad.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.2254e04.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.21b0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.8b0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.34847ad.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.375cb0e.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.24ac674.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.375cb0e.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.21d0000.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.24ccef8.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.24ccef8.21.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.6c0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.smtpsvc.exe.3280184.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.ALP.exe.331b34e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.6c4629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.850000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.840000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.smtpsvc.exe.3298cc8.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.840000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.244df88.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.smtpsvc.exe.3338cc8.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.347b34e.26.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.smtpsvc.exe.3298cc8.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.ALP.exe.2300000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.ALP.exe.3480184.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.ALP.exe.34f8cc8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.ALP.exe.3318cc8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.523014987.00000000032D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.691493356.00000000021B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.528139712.0000000002231000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.691041233.00000000008A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.522978296.00000000022D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.525259528.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.690682289.00000000006C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.525186411.0000000002541000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.690880215.0000000000780000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.690912627.0000000000790000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.691516728.00000000021D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.690948278.00000000007C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.690383308.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.528229678.0000000003239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.694158728.0000000003479000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.690432511.0000000000470000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.511286759.0000000003289000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.522489862.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.690979593.0000000000820000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.527221961.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.694476042.00000000036F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.691050468.00000000008B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.524484369.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.516689891.0000000003209000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.691024483.0000000000850000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.691059827.00000000008C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.691013967.0000000000840000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.691571948.0000000002300000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.691649725.0000000002482000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.479035033.0000000003469000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.513705045.00000000032A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ALP.exe PID: 1212, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: ALP.exe PID: 2700, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: smtpsvc.exe PID: 2196, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: smtpsvc.exe PID: 344, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING UP TO TRANSLATE LANGUAGE 7 NO. N1ASF6783 8 PURCHASE ORDER 9 10 CLIENT: ZhOu YU
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING UP TO TRANSLATE LANGUAGE 7 NO. N1ASF6783 8 PURCHASE ORDER 9 10 CLIENT: ZhOu YU

Source: ALP.exe.2.dr, Forms/mainForm.cs	Long String: Length: 38272
Source: 3.2.ALP.exe.910000.1.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 3.0.ALP.exe.910000.0.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: smtpsvc.exe.4.dr, Forms/mainForm.cs	Long String: Length: 38272
Source: 4.0.ALP.exe.910000.0.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 4.2.ALP.exe.910000.14.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 10.2.ALP.exe.910000.1.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 10.0.ALP.exe.910000.0.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 11.0.smtpsvc.exe.be0000.0.unpack, Forms/mainForm.cs	Long String: Length: 38272

Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_004330D0	3_2_004330D0
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_0043009C	3_2_0043009C
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00431121	3_2_00431121
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00431B00	3_2_00431B00
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00433CD8	3_2_00433CD8
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00434E09	3_2_00434E09
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00431700	3_2_00431700
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_004380FA	3_2_004380FA
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_0043A901	3_2_0043A901
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00438108	3_2_00438108
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_0043A910	3_2_0043A910
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_004399D0	3_2_004399D0
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_0043838A	3_2_0043838A
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00438398	3_2_00438398
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_004313B0	3_2_004313B0
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_004304E1	3_2_004304E1
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00438569	3_2_00438569
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00436D18	3_2_00436D18
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00436D28	3_2_00436D28
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00435DF0	3_2_00435DF0
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_0043AE48	3_2_0043AE48
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_0043AE38	3_2_0043AE38
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00437F08	3_2_00437F08
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00437F18	3_2_00437F18
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_0025E038	4_2_0025E038
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_0025C0B0	4_2_0025C0B0
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_002543A0	4_2_002543A0
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_0025B498	4_2_0025B498
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_00253788	4_2_00253788
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_0025C16E	4_2_0025C16E
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_00254458	4_2_00254458
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_00727050	4_2_00727050
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_0072D540	4_2_0072D540
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_0072EA30	4_2_0072EA30
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_00727C68	4_2_00727C68
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_0072E158	4_2_0072E158
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_0072E216	4_2_0072E216
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_00727D26	4_2_00727D26
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_022E0048	4_2_022E0048
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_022E0C50	4_2_022E0C50
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_022E4CB8	4_2_022E4CB8
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_022E43C8	4_2_022E43C8
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_022E4078	4_2_022E4078
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_022E1527	4_2_022E1527
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_022E0D1E	4_2_022E0D1E
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_0031009C	10_2_0031009C
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_003130D0	10_2_003130D0
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00311121	10_2_00311121
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00311B00	10_2_00311B00
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00313CD8	10_2_00313CD8
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00314E09	10_2_00314E09
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00311700	10_2_00311700
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_0031A910	10_2_0031A910
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_0031A901	10_2_0031A901
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00318108	10_2_00318108
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00319A0D	10_2_00319A0D
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00316260	10_2_00316260
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_003113B0	10_2_003113B0
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00318398	10_2_00318398
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00313C30	10_2_00313C30
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00316D28	10_2_00316D28
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00316D18	10_2_00316D18
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00318569	10_2_00318569
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00315DF0	10_2_00315DF0
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00315DEC	10_2_00315DEC
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_0031A630	10_2_0031A630
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_0031AE38	10_2_0031AE38
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_0031AE48	10_2_0031AE48
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00317F18	10_2_00317F18
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00317F08	10_2_00317F08
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E009C	11_2_002E009C
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E30D0	11_2_002E30D0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E1121	11_2_002E1121
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E1B00	11_2_002E1B00
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E3CD8	11_2_002E3CD8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E4E09	11_2_002E4E09
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E1700	11_2_002E1700
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E8108	11_2_002E8108
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002EA901	11_2_002EA901
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002EA910	11_2_002EA910
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E99D0	11_2_002E99D0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E13B0	11_2_002E13B0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E8398	11_2_002E8398
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E6D28	11_2_002E6D28
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E6D18	11_2_002E6D18
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E8569	11_2_002E8569
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E5DF0	11_2_002E5DF0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002EAE38	11_2_002EAE38
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002EAE48	11_2_002EAE48
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E7F08	11_2_002E7F08
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E7F18	11_2_002E7F18
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0025009C	12_2_0025009C
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_002530D0	12_2_002530D0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00251121	12_2_00251121
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00251B00	12_2_00251B00
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00253CD8	12_2_00253CD8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00254E09	12_2_00254E09
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00251700	12_2_00251700
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0025A901	12_2_0025A901
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00258108	12_2_00258108
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0025A910	12_2_0025A910
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_002599D0	12_2_002599D0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_002513B0	12_2_002513B0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00258398	12_2_00258398
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_002504E1	12_2_002504E1
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00256D28	12_2_00256D28
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00256D18	12_2_00256D18
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00258569	12_2_00258569
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00255DF0	12_2_00255DF0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0025AE38	12_2_0025AE38
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0025AE48	12_2_0025AE48
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00257F08	12_2_00257F08
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00257F18	12_2_00257F18
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 14_2_003F43A0	14_2_003F43A0
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 14_2_003F3788	14_2_003F3788
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 14_2_003F4458	14_2_003F4458
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 16_2_002143A0	16_2_002143A0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 16_2_00213788	16_2_00213788
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 16_2_00214C78	16_2_00214C78
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 16_2_00214458	16_2_00214458
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 17_2_003146C9	17_2_003146C9
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 17_2_003143A0	17_2_003143A0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 17_2_00313788	17_2_00313788
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 17_2_00314C78	17_2_00314C78
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 17_2_00314458	17_2_00314458

Source: C:\Users\user\AppData\Roaming\ALP.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: ALP.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: smtpsvc.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................0.......................(.P.............P...............g.................................................................(.....			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ........................................(.P.............................f.......................................................................			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe
Source: C:\Users\user\AppData\Roaming\ALP.exe	Process created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe
Source: C:\Users\user\AppData\Roaming\ALP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3811.tmp'
Source: C:\Users\user\AppData\Roaming\ALP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp277F.tmp'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {6D7D75E4-8EFD-44BB-96AC-FEA7E6E0852F} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe 0
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Source: C:\Users\user\AppData\Roaming\ALP.exe	Process created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Process created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp3811.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp277F.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe 0	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Process created: C:\Users\user\AppData\Roaming\ALP.exe C:\Users\user\AppData\Roaming\ALP.exe	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ALP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior

Source: ALP.exe.2.dr, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.ALP.exe.910000.1.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.ALP.exe.910000.0.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: smtpsvc.exe.4.dr, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: ALP.exe.2.dr, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.ALP.exe.910000.1.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.ALP.exe.910000.0.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: smtpsvc.exe.4.dr, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ALP.exe.910000.0.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.ALP.exe.910000.14.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.ALP.exe.910000.1.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.ALP.exe.910000.0.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.smtpsvc.exe.be0000.0.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_0043C0D0 push ds; ret	3_2_0043C0D7
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 3_2_00434B50 push eax; retn 004Eh	3_2_00434B51
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_004732B7 push cs; ret	4_2_004732B8
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_0025C3E8 push esp; iretd	4_2_0025C551
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 4_2_0025C640 pushfd ; iretd	4_2_0025C641
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_0031C0D0 push ds; ret	10_2_0031C0D7
Source: C:\Users\user\AppData\Roaming\ALP.exe	Code function: 10_2_00314B50 push eax; retn 0047h	10_2_00314B51
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002EC0D0 push ds; ret	11_2_002EC0D7
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 11_2_002E4B50 push eax; retn 004Ch	11_2_002E4B51
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_0025C0D0 push ds; ret	12_2_0025C0D7
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 12_2_00254B50 push eax; retn 0042h	12_2_00254B51

Source: initial sample	Static PE information: section name: .text entropy: 7.26903403564
Source: initial sample	Static PE information: section name: .text entropy: 7.26903403564

Windows Analysis Report INVOICE = 212888585 .xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.ALP.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\ALP.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ALP.exe	File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe			Jump to dropped file

Source: Yara match	File source: 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.477879710.000000000249D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510442930.00000000022BD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.512977056.00000000022DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ALP.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ALP.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smtpsvc.exe PID: 2796, type: MEMORYSTR

Source: ALP.exe, 00000003.00000002.477879710.000000000249D000.00000004.00000001.sdmp, ALP.exe, 0000000A.00000002.510442930.00000000022BD000.00000004.00000001.sdmp, smtpsvc.exe, 0000000B.00000002.512977056.00000000022DD000.00000004.00000001.sdmp, smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ALP.exe, 00000003.00000002.477879710.000000000249D000.00000004.00000001.sdmp, ALP.exe, 0000000A.00000002.510442930.00000000022BD000.00000004.00000001.sdmp, smtpsvc.exe, 0000000B.00000002.512977056.00000000022DD000.00000004.00000001.sdmp, smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2648	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 2644	Thread sleep time: -35196s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 1440	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 1832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 3044	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 2532	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 1704	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 1532	Thread sleep time: -40853s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 2592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2836	Thread sleep time: -33312s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2028	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2908	Thread sleep time: -42952s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 1220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe TID: 2624	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2648	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ALP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ALP.exe	Window / User API: threadDelayed 3705			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Window / User API: threadDelayed 5868			Jump to behavior

Source: C:\Users\user\AppData\Roaming\ALP.exe	Thread delayed: delay time: 35196	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Thread delayed: delay time: 40853	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 33312	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 42952	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ALP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: ALP.exe, 00000004.00000003.483036417.000000000057D000.00000004.00000001.sdmp	Binary or memory string: HVVmcicda.dll
Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: ALP.exe, 00000004.00000003.483027853.00000000005A1000.00000004.00000001.sdmp	Binary or memory string: @XVmcicda.dll+
Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: smtpsvc.exe, 0000000C.00000002.515854316.000000000223D000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\AppData\Roaming\ALP.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process token adjusted: Debug	Jump to behavior