Windows Analysis Report purchase order Nl32855 (1).exe

Overview

General Information

Sample Name:	purchase order Nl32855 (1).exe
Analysis ID:	526200
MD5:	c466151570c893f56d548a9689155656
SHA1:	3e779ff5c71f319fc2d3bd4fc577c4769873c47c
SHA256:	dee5267af261b8e291b83b01b12c4149204b20754cd1714bd974ae1dae447a44
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Initial sample is a PE file and has a suspicious name

Connects to many ports of the same IP (likely port scanning)

Protects its processes via BreakOnTermination flag

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

PE file contains executable resources (Code or Archives)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6c7be0fb-d973-4d3c-b342-92a2df7c", "Group": "Wiz", "Domain1": "lizaelock.ddns.net", "Domain2": "", "Port": 52149, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Roaming\qZEskWcTYJLciB.exe	ReversingLabs: Detection: 20%

Yara detected Nanocore RAT

Source: Yara match	File source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.917874645.000000000446B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTR

Machine Learning detection for sample

Source: purchase order Nl32855 (1).exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\qZEskWcTYJLciB.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack	Avira: Label: TR/NanoCore.fadte
Source: 20.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 20.0.dhcpmon.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 20.0.dhcpmon.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 20.0.dhcpmon.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack	Avira: Label: TR/NanoCore.fadte
Source: 20.0.dhcpmon.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 20.0.dhcpmon.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: purchase order Nl32855 (1).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 4x nop then jmp 029B6D31h	0_2_029B6C28
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 4x nop then jmp 029B6D31h	0_2_029B6C18
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 4x nop then mov esp, ebp	7_2_018D8920
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 4x nop then jmp 05596D31h	10_2_05596C28
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 4x nop then jmp 05596D31h	10_2_05596C18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 02CE6D31h	14_2_02CE6C28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 02CE6D31h	14_2_02CE6C18

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49786 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49788 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49794 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49823 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49825 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49831 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49833 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49852 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49857 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49860 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49863 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49864 -> 194.5.98.139:52149
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49865 -> 194.5.98.139:52149

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: lizaelock.ddns.net

Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: purchase order Nl32855 (1).exe, 00000000.00000002.676055738.0000000002F01000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 0000000A.00000002.703727445.0000000003391000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.713454690.00000000031D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.731487632.0000000002C91000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/REFRWFWFGB.xsdX1
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com8
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comc
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653679924.00000000051CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comgy
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: purchase order Nl32855 (1).exe, 00000000.00000003.655594413.00000000051CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers)
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 00000000.00000003.655797740.00000000051CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: purchase order Nl32855 (1).exe, 00000000.00000003.660776049.00000000051CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers6
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: purchase order Nl32855 (1).exe, 00000000.00000003.655594413.00000000051CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: purchase order Nl32855 (1).exe, 00000000.00000003.655572984.00000000051CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersN
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656766671.00000000051CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: purchase order Nl32855 (1).exe, 00000000.00000003.655412203.00000000051CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers
Source: purchase order Nl32855 (1).exe, 00000000.00000003.660819604.00000000051CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers6
Source: purchase order Nl32855 (1).exe, 00000000.00000003.655412203.00000000051CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerso
Source: purchase order Nl32855 (1).exe, 00000000.00000003.660853088.00000000051CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerst
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomov
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comiond
Source: purchase order Nl32855 (1).exe, 00000000.00000003.674530297.0000000005190000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet
Source: purchase order Nl32855 (1).exe, 00000000.00000003.674530297.0000000005190000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.commiv
Source: purchase order Nl32855 (1).exe, 00000000.00000003.674530297.0000000005190000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comtteo
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueed
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comTF
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651102643.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comicy
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comro
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comx
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: purchase order Nl32855 (1).exe, 00000000.00000003.653115791.0000000005194000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: purchase order Nl32855 (1).exe, 00000000.00000003.658391644.000000000519D000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651123603.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com-d
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651123603.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma-d
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: purchase order Nl32855 (1).exe, 00000000.00000003.652184825.0000000005199000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krl)
Source: purchase order Nl32855 (1).exe, 00000000.00000003.652184825.0000000005199000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krn
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 00000000.00000003.651256695.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651256695.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com.
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651276008.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com8
Source: purchase order Nl32855 (1).exe, 00000000.00000003.651301668.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comcoo
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_00619A7C	0_2_00619A7C
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_029B0EE0	0_2_029B0EE0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_029BF438	0_2_029BF438
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_029B6C28	0_2_029B6C28
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_029B7F98	0_2_029B7F98
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_029BD5C0	0_2_029BD5C0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_029B5768	0_2_029B5768
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_029B6C18	0_2_029B6C18
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_029B575A	0_2_029B575A
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A6B220	0_2_06A6B220
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A61E28	0_2_06A61E28
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A681E0	0_2_06A681E0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A60D38	0_2_06A60D38
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A61560	0_2_06A61560
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A686A0	0_2_06A686A0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A68691	0_2_06A68691
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A6B6E8	0_2_06A6B6E8
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A69AF0	0_2_06A69AF0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A6C6D8	0_2_06A6C6D8
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A64A20	0_2_06A64A20
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A64E2A	0_2_06A64E2A
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A60230	0_2_06A60230
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A64E38	0_2_06A64E38
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A63A08	0_2_06A63A08
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A64A10	0_2_06A64A10
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A65A11	0_2_06A65A11
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A64FD8	0_2_06A64FD8
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A69B00	0_2_06A69B00
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A6AB40	0_2_06A6AB40
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A60CB9	0_2_06A60CB9
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A64480	0_2_06A64480
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A64490	0_2_06A64490
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A69498	0_2_06A69498
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A64C08	0_2_06A64C08
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A64C18	0_2_06A64C18
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A69879	0_2_06A69879
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A68C50	0_2_06A68C50
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A639FA	0_2_06A639FA
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A681CF	0_2_06A681CF
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_00C39A7C	7_2_00C39A7C
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_018D2FA8	7_2_018D2FA8
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_018D23A0	7_2_018D23A0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_018DB748	7_2_018DB748
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_018D9A78	7_2_018D9A78
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_018D8E78	7_2_018D8E78
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_018D306F	7_2_018D306F
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_018D9B3F	7_2_018D9B3F
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_018DD298	7_2_018DD298
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_00CF9A7C	10_2_00CF9A7C
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_05595758	10_2_05595758
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_05597F98	10_2_05597F98
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_05596C28	10_2_05596C28
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_05590EE0	10_2_05590EE0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_05596C18	10_2_05596C18
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08561560	10_2_08561560
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08560D38	10_2_08560D38
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_085681E0	10_2_085681E0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_0856B1A0	10_2_0856B1A0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08561E28	10_2_08561E28
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08568C50	10_2_08568C50
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08568C10	10_2_08568C10
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08564C18	10_2_08564C18
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08564C08	10_2_08564C08
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08564490	10_2_08564490
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08560C99	10_2_08560C99
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08564480	10_2_08564480
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_085681CF	10_2_085681CF
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_085639FA	10_2_085639FA
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_0856C658	10_2_0856C658
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_0856B668	10_2_0856B668
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08564A10	10_2_08564A10
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08563A08	10_2_08563A08
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08560230	10_2_08560230
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08564E38	10_2_08564E38
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08564A20	10_2_08564A20
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08564E2A	10_2_08564E2A
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08568691	10_2_08568691
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_085686A0	10_2_085686A0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_0856AB40	10_2_0856AB40
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08569B00	10_2_08569B00
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_08564FD8	10_2_08564FD8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_00879A7C	14_2_00879A7C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_02CE0EE0	14_2_02CE0EE0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_02CEE019	14_2_02CEE019
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_02CE6C28	14_2_02CE6C28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_02CEF428	14_2_02CEF428
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_02CE7F98	14_2_02CE7F98
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_02CED5B0	14_2_02CED5B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_02CE6C18	14_2_02CE6C18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C1E28	14_2_069C1E28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069CB1A0	14_2_069CB1A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C81E0	14_2_069C81E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C0D38	14_2_069C0D38
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C1560	14_2_069C1560
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C8691	14_2_069C8691
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C86A0	14_2_069C86A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C9AF0	14_2_069C9AF0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C4A10	14_2_069C4A10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C5A11	14_2_069C5A11
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C3A08	14_2_069C3A08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C4E38	14_2_069C4E38
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C0230	14_2_069C0230
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C4E2B	14_2_069C4E2B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C4A20	14_2_069C4A20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069CC658	14_2_069CC658
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069CB668	14_2_069CB668
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C4FD8	14_2_069C4FD8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C9B00	14_2_069C9B00
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069CAB40	14_2_069CAB40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C9498	14_2_069C9498
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C4490	14_2_069C4490
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C4480	14_2_069C4480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C0CB9	14_2_069C0CB9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C4C18	14_2_069C4C18
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C8C10	14_2_069C8C10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C4C08	14_2_069C4C08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C8C50	14_2_069C8C50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C9879	14_2_069C9879
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C81CF	14_2_069C81CF
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C39FB	14_2_069C39FB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C1970	14_2_069C1970
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 16_2_00A69A7C	16_2_00A69A7C
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 16_2_054523A0	16_2_054523A0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 16_2_05452FA8	16_2_05452FA8
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 16_2_0545306F	16_2_0545306F

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_05601772 NtSetInformationProcess,	7_2_05601772
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_05601A36 NtQuerySystemInformation,	7_2_05601A36
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_05601741 NtSetInformationProcess,	7_2_05601741
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_056019FB NtQuerySystemInformation,	7_2_056019FB

Source: purchase order Nl32855 (1).exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: qZEskWcTYJLciB.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: dhcpmon.exe.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: purchase order Nl32855 (1).exe	Binary or memory string: OriginalFilename vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000000.00000002.678257023.0000000005130000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000000.00000002.676152952.0000000002F8C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000000.00000002.674723416.0000000000612000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe	Binary or memory string: OriginalFilename vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000007.00000000.673881959.0000000000C32000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000007.00000002.917579790.0000000003411000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000007.00000002.917579790.0000000003411000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000007.00000002.917081627.000000000143A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe	Binary or memory string: OriginalFilename vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 0000000A.00000002.703781417.00000000033D2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 0000000A.00000002.701989732.0000000000CF2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 0000000A.00000002.703004416.0000000001479000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe	Binary or memory string: OriginalFilename vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000010.00000000.701139570.0000000000A62000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs purchase order Nl32855 (1).exe
Source: purchase order Nl32855 (1).exe	Binary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe

Source: purchase order Nl32855 (1).exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: qZEskWcTYJLciB.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: unknown	Process created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe "C:\Users\user\Desktop\purchase order Nl32855 (1).exe"
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path}
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F1D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe "C:\Users\user\Desktop\purchase order Nl32855 (1).exe" 0
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2A39.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpE496.tmp
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path}
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpF1A6.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F1D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2A39.tmp	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpE496.tmp	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpF1A6.tmp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpD.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_056015F6 AdjustTokenPrivileges,		7_2_056015F6
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_056015BF AdjustTokenPrivileges,		7_2_056015BF

Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{6c7be0fb-d973-4d3c-b342-92a2df7c960b}
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1328:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_01

Source: purchase order Nl32855 (1).exe	String found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
Source: purchase order Nl32855 (1).exe	String found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
Source: purchase order Nl32855 (1).exe	String found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
Source: purchase order Nl32855 (1).exe	String found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
Source: purchase order Nl32855 (1).exe	String found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
Source: purchase order Nl32855 (1).exe	String found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
Source: dhcpmon.exe	String found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
Source: dhcpmon.exe	String found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
Source: purchase order Nl32855 (1).exe	String found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
Source: purchase order Nl32855 (1).exe	String found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
Source: purchase order Nl32855 (1).exe	String found in binary or memory: -Enable, Start/Stop, and Close buttons-
Source: purchase order Nl32855 (1).exe	String found in binary or memory: -Enable, Start/Stop, and Close buttons-
Source: purchase order Nl32855 (1).exe	String found in binary or memory: The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled the sleep timer will start, and after the sleep timer is ended it will sleep the computer. Prior to pressing the start button, the stop button will take its place. This button stops and resets the timers.
Source: purchase order Nl32855 (1).exe	String found in binary or memory: The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled the sleep timer will start, and after the sleep timer is ended it will sleep the computer. Prior to pressing the start button, the stop button will take its place. This button stops and resets the timers.

Source: purchase order Nl32855 (1).exe, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: qZEskWcTYJLciB.exe.0.dr, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.purchase order Nl32855 (1).exe.610000.0.unpack, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.purchase order Nl32855 (1).exe.610000.0.unpack, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.7.dr, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.purchase order Nl32855 (1).exe.c30000.2.unpack, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.purchase order Nl32855 (1).exe.c30000.9.unpack, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.purchase order Nl32855 (1).exe.c30000.7.unpack, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: purchase order Nl32855 (1).exe, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: qZEskWcTYJLciB.exe.0.dr, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.purchase order Nl32855 (1).exe.610000.0.unpack, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.purchase order Nl32855 (1).exe.610000.0.unpack, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dhcpmon.exe.7.dr, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.c30000.2.unpack, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.c30000.9.unpack, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.c30000.7.unpack, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.c30000.0.unpack, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.c30000.11.unpack, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.c30000.13.unpack, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.c30000.1.unpack, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.c30000.3.unpack, SmarterTrackTranslator/Form1.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_0061B846 push 00000000h; iretd	0_2_0061B854
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A67E0F push es; retf	0_2_06A67EEC
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A687E4 pushfd ; retf	0_2_06A687E5
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A670BB push ecx; ret	0_2_06A670BC
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A6789C push dword ptr [edx+76h]; iretd	0_2_06A678AC
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A62C6F push es; iretd	0_2_06A62C70
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A62C77 push es; retn A623h	0_2_06A62CA8
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A67D68 push es; retf	0_2_06A67EEC
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 0_2_06A67D68 push es; iretd	0_2_06A67F58
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 7_2_00C3B846 push 00000000h; iretd	7_2_00C3B854
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_00CFB846 push 00000000h; iretd	10_2_00CFB854
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_0856789C push dword ptr [edx+76h]; iretd	10_2_085678AC
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_085670BB push ecx; ret	10_2_085670BC
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 10_2_085687E4 pushfd ; retf	10_2_085687E5
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_0087B846 push 00000000h; iretd	14_2_0087B854
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C7E8A push es; retf	14_2_069C7EEC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C7EEE push es; retf	14_2_069C7EEC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C7EEE push es; iretd	14_2_069C7F58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C87E4 pushfd ; retf	14_2_069C87E5
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C789C push dword ptr [edx+76h]; iretd	14_2_069C78AC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C70BB push ecx; ret	14_2_069C70BC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C2C75 push es; retn 9C23h	14_2_069C2CA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C2C6E push es; iretd	14_2_069C2C70
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C7D68 push es; retf	14_2_069C7EEC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_069C7D68 push es; iretd	14_2_069C7F58
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Code function: 16_2_00A6B846 push 00000000h; iretd	16_2_00A6B854

Source: initial sample	Static PE information: section name: .text entropy: 7.63859252241
Source: initial sample	Static PE information: section name: .text entropy: 7.63859252241
Source: initial sample	Static PE information: section name: .text entropy: 7.63859252241

Windows Analysis Report purchase order Nl32855 (1).exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Operating System Destruction:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	File created: C:\Users\user\AppData\Roaming\qZEskWcTYJLciB.exe			Jump to dropped file

Source: purchase order Nl32855 (1).exe, 00000000.00000002.676113225.0000000002F59000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 0000000A.00000002.703802767.00000000033E9000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.713518406.0000000003229000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: purchase order Nl32855 (1).exe, 00000000.00000002.676113225.0000000002F59000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 0000000A.00000002.703802767.00000000033E9000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.713518406.0000000003229000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6864	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6712	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6712	Thread sleep count: 298 > 30	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6712	Thread sleep count: 269 > 30	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6788	Thread sleep count: 54 > 30	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6712	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6684	Thread sleep time: -340000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 7116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7052	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 5036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2588	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5028	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: purchase order Nl32855 (1).exe, 00000007.00000002.917126937.000000000149B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: dhcpmon.exe, 00000011.00000002.730911591.0000000000B80000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{
Source: purchase order Nl32855 (1).exe, 00000007.00000002.917126937.000000000149B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWY
Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: purchase order Nl32855 (1).exe, 0000000A.00000002.703244929.0000000001529000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r
Source: dhcpmon.exe, 0000000E.00000002.712642337.00000000010B4000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Memory written: C:\Users\user\Desktop\purchase order Nl32855 (1).exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe	Memory written: C:\Users\user\Desktop\purchase order Nl32855 (1).exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: purchase order Nl32855 (1).exe, 00000007.00000002.917716998.0000000003598000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: purchase order Nl32855 (1).exe, 00000007.00000002.917483603.0000000001B10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: purchase order Nl32855 (1).exe, 00000007.00000002.917483603.0000000001B10000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: purchase order Nl32855 (1).exe, 00000007.00000002.917483603.0000000001B10000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: purchase order Nl32855 (1).exe, 00000007.00000002.917684252.000000000353A000.00000004.00000001.sdmp	Binary or memory string: Program Manager\|9
Source: purchase order Nl32855 (1).exe, 00000007.00000002.917637756.00000000034A8000.00000004.00000001.sdmp	Binary or memory string: Program Manager\6