Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report purchase order Nl32855 (1).exe

Overview

General Information

Sample Name:purchase order Nl32855 (1).exe
Analysis ID:526200
MD5:c466151570c893f56d548a9689155656
SHA1:3e779ff5c71f319fc2d3bd4fc577c4769873c47c
SHA256:dee5267af261b8e291b83b01b12c4149204b20754cd1714bd974ae1dae447a44
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Initial sample is a PE file and has a suspicious name
Connects to many ports of the same IP (likely port scanning)
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • purchase order Nl32855 (1).exe (PID: 6824 cmdline: "C:\Users\user\Desktop\purchase order Nl32855 (1).exe" MD5: C466151570C893F56D548A9689155656)
    • schtasks.exe (PID: 5936 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • purchase order Nl32855 (1).exe (PID: 1668 cmdline: {path} MD5: C466151570C893F56D548A9689155656)
      • schtasks.exe (PID: 3396 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F1D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 3296 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2A39.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • purchase order Nl32855 (1).exe (PID: 4864 cmdline: "C:\Users\user\Desktop\purchase order Nl32855 (1).exe" 0 MD5: C466151570C893F56D548A9689155656)
    • schtasks.exe (PID: 6764 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpE496.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6700 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: C466151570C893F56D548A9689155656)
    • schtasks.exe (PID: 7044 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpF1A6.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6252 cmdline: {path} MD5: C466151570C893F56D548A9689155656)
  • dhcpmon.exe (PID: 7084 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: C466151570C893F56D548A9689155656)
    • schtasks.exe (PID: 6864 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 5820 cmdline: {path} MD5: C466151570C893F56D548A9689155656)
    • dhcpmon.exe (PID: 2044 cmdline: {path} MD5: C466151570C893F56D548A9689155656)
    • dhcpmon.exe (PID: 5984 cmdline: {path} MD5: C466151570C893F56D548A9689155656)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6c7be0fb-d973-4d3c-b342-92a2df7c", "Group": "Wiz", "Domain1": "lizaelock.ddns.net", "Domain2": "", "Port": 52149, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 115 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      16.2.purchase order Nl32855 (1).exe.434ec86.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x4083:$x1: NanoCore.ClientPluginHost
      16.2.purchase order Nl32855 (1).exe.434ec86.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x4083:$x2: NanoCore.ClientPluginHost
      • 0x4161:$s4: PipeCreated
      • 0x409d:$s5: IClientLoggingHost
      27.2.dhcpmon.exe.4513ac3.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1646:$x1: NanoCore.ClientPluginHost
      • 0x151e3:$x1: NanoCore.ClientPluginHost
      • 0x2e17a:$x1: NanoCore.ClientPluginHost
      • 0x15210:$x2: IClientNetworkHost
      • 0x2e1a7:$x2: IClientNetworkHost
      27.2.dhcpmon.exe.4513ac3.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x1646:$x2: NanoCore.ClientPluginHost
      • 0x151e3:$x2: NanoCore.ClientPluginHost
      • 0x2e17a:$x2: NanoCore.ClientPluginHost
      • 0x1724:$s4: PipeCreated
      • 0x162be:$s4: PipeCreated
      • 0x2f255:$s4: PipeCreated
      • 0x1660:$s5: IClientLoggingHost
      • 0x151fd:$s5: IClientLoggingHost
      • 0x2e194:$s5: IClientLoggingHost
      27.2.dhcpmon.exe.4513ac3.6.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 222 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\purchase order Nl32855 (1).exe, ProcessId: 1668, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\purchase order Nl32855 (1).exe, ProcessId: 1668, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Suspicius Add Task From User AppData TempShow sources
        Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\purchase order Nl32855 (1).exe" , ParentImage: C:\Users\user\Desktop\purchase order Nl32855 (1).exe, ParentProcessId: 6824, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp, ProcessId: 5936

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\purchase order Nl32855 (1).exe, ProcessId: 1668, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\purchase order Nl32855 (1).exe, ProcessId: 1668, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6c7be0fb-d973-4d3c-b342-92a2df7c", "Group": "Wiz", "Domain1": "lizaelock.ddns.net", "Domain2": "", "Port": 52149, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 20%
        Source: C:\Users\user\AppData\Roaming\qZEskWcTYJLciB.exeReversingLabs: Detection: 20%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.917874645.000000000446B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTR
        Machine Learning detection for sampleShow sources
        Source: purchase order Nl32855 (1).exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\qZEskWcTYJLciB.exeJoe Sandbox ML: detected
        Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpackAvira: Label: TR/NanoCore.fadte
        Source: 20.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 20.0.dhcpmon.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 27.0.dhcpmon.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 20.0.dhcpmon.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 20.0.dhcpmon.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 27.0.dhcpmon.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpackAvira: Label: TR/NanoCore.fadte
        Source: 20.0.dhcpmon.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 27.0.dhcpmon.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 20.0.dhcpmon.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 27.0.dhcpmon.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 27.0.dhcpmon.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 27.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: purchase order Nl32855 (1).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: purchase order Nl32855 (1).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: purchase order Nl32855 (1).exe, 00000007.00000002.917579790.0000000003411000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, dhcpmon.exe, 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 4x nop then jmp 029B6D31h
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 4x nop then jmp 029B6D31h
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 4x nop then mov esp, ebp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 4x nop then jmp 05596D31h
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 4x nop then jmp 05596D31h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02CE6D31h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02CE6D31h

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49786 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49788 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49794 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49823 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49825 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49831 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49833 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49852 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49857 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49860 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49863 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49864 -> 194.5.98.139:52149
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49865 -> 194.5.98.139:52149
        Connects to many ports of the same IP (likely port scanning)Show sources
        Source: global trafficTCP traffic: 194.5.98.139 ports 1,2,4,5,9,52149
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: lizaelock.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: lizaelock.ddns.net
        Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
        Source: global trafficTCP traffic: 192.168.2.4:49779 -> 194.5.98.139:52149
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.676055738.0000000002F01000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 0000000A.00000002.703727445.0000000003391000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.713454690.00000000031D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.731487632.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/REFRWFWFGB.xsdX1
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com8
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comal
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comc
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.653679924.00000000051CE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comgy
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.655594413.00000000051CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers)
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 00000000.00000003.655797740.00000000051CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.660776049.00000000051CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers6
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.655594413.00000000051CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.655572984.00000000051CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersN
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.656766671.00000000051CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.655412203.00000000051CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.660819604.00000000051CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersers6
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.655412203.00000000051CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerso
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.660853088.00000000051CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomov
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiond
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.674530297.0000000005190000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.674530297.0000000005190000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commiv
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.674530297.0000000005190000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtteo
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueed
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comTF
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.651102643.00000000051AB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comicy
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comro
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.653115791.0000000005194000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.658391644.000000000519D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.651123603.00000000051AB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com-d
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.651123603.00000000051AB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.652184825.0000000005199000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krl)
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.652184825.0000000005199000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 00000000.00000003.651256695.00000000051AB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.651256695.00000000051AB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com.
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.651276008.00000000051AB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com8
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.651301668.00000000051AB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcoo
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: purchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: unknownDNS traffic detected: queries for: lizaelock.ddns.net
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_05602FE2 WSARecv,
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.917874645.000000000446B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTR

        Operating System Destruction:

        barindex
        Protects its processes via BreakOnTermination flagShow sources
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: 01 00 00 00

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.2.dhcpmon.exe.34e8b54.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 16.2.purchase order Nl32855 (1).exe.3328aac.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.2.dhcpmon.exe.34e3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.2.dhcpmon.exe.450ec86.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.purchase order Nl32855 (1).exe.3421628.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.purchase order Nl32855 (1).exe.5ff0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.2.dhcpmon.exe.38a8b54.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.purchase order Nl32855 (1).exe.3323a20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.38a3ac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.2.dhcpmon.exe.34e3ac8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.purchase order Nl32855 (1).exe.5d50000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 16.2.purchase order Nl32855 (1).exe.3323a20.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.2.dhcpmon.exe.38a3ac8.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.2.dhcpmon.exe.48cec86.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.purchase order Nl32855 (1).exe.3421628.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.purchase order Nl32855 (1).exe.34264a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.922681658.0000000005FF0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.922602924.0000000005D50000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.2.dhcpmon.exe.34e8b54.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.2.dhcpmon.exe.34e8b54.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 16.2.purchase order Nl32855 (1).exe.3328aac.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.purchase order Nl32855 (1).exe.3328aac.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.2.dhcpmon.exe.34e3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.2.dhcpmon.exe.34e3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.2.dhcpmon.exe.450ec86.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.2.dhcpmon.exe.450ec86.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 7.2.purchase order Nl32855 (1).exe.3421628.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.3421628.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.purchase order Nl32855 (1).exe.5ff0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.5ff0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.2.dhcpmon.exe.38a8b54.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.38a8b54.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.2.purchase order Nl32855 (1).exe.3323a20.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.purchase order Nl32855 (1).exe.3323a20.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.2.dhcpmon.exe.38a3ac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.38a3ac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.2.dhcpmon.exe.34e3ac8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.2.dhcpmon.exe.34e3ac8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.purchase order Nl32855 (1).exe.5d50000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.5d50000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 16.2.purchase order Nl32855 (1).exe.3323a20.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.purchase order Nl32855 (1).exe.3323a20.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.2.dhcpmon.exe.38a3ac8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.38a3ac8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.2.dhcpmon.exe.48cec86.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.48cec86.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.purchase order Nl32855 (1).exe.3421628.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.3421628.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.purchase order Nl32855 (1).exe.34264a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.34264a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.922681658.0000000005FF0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.922681658.0000000005FF0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.922602924.0000000005D50000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.922602924.0000000005D50000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_00619A7C
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_029B0EE0
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_029BF438
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_029B6C28
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_029B7F98
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_029BD5C0
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_029B5768
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_029B6C18
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_029B575A
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A6B220
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A61E28
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A681E0
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A60D38
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A61560
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A686A0
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A68691
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A6B6E8
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A69AF0
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A6C6D8
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A64A20
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A64E2A
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A60230
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A64E38
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A63A08
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A64A10
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A65A11
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A64FD8
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A69B00
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A6AB40
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A60CB9
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A64480
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A64490
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A69498
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A64C08
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A64C18
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A69879
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A68C50
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A639FA
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A681CF
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_00C39A7C
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_018D2FA8
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_018D23A0
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_018DB748
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_018D9A78
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_018D8E78
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_018D306F
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_018D9B3F
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_018DD298
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_00CF9A7C
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_05595758
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_05597F98
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_05596C28
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_05590EE0
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_05596C18
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08561560
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08560D38
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_085681E0
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_0856B1A0
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08561E28
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08568C50
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08568C10
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08564C18
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08564C08
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08564490
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08560C99
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08564480
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_085681CF
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_085639FA
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_0856C658
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_0856B668
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08564A10
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08563A08
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08560230
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08564E38
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08564A20
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08564E2A
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08568691
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_085686A0
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_0856AB40
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08569B00
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_08564FD8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00879A7C
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02CE0EE0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02CEE019
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02CE6C28
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02CEF428
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02CE7F98
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02CED5B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02CE6C18
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C1E28
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069CB1A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C81E0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C0D38
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C1560
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C8691
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C86A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C9AF0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C4A10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C5A11
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C3A08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C4E38
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C0230
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C4E2B
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C4A20
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069CC658
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069CB668
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C4FD8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C9B00
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069CAB40
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C9498
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C4490
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C4480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C0CB9
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C4C18
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C8C10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C4C08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C8C50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C9879
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C81CF
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C39FB
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C1970
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 16_2_00A69A7C
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 16_2_054523A0
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 16_2_05452FA8
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 16_2_0545306F
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_05601772 NtSetInformationProcess,
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_05601A36 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_05601741 NtSetInformationProcess,
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_056019FB NtQuerySystemInformation,
        Source: purchase order Nl32855 (1).exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: qZEskWcTYJLciB.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: dhcpmon.exe.7.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: purchase order Nl32855 (1).exeBinary or memory string: OriginalFilename vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.678257023.0000000005130000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.676152952.0000000002F8C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.674723416.0000000000612000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exeBinary or memory string: OriginalFilename vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000007.00000000.673881959.0000000000C32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917579790.0000000003411000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917579790.0000000003411000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917081627.000000000143A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exeBinary or memory string: OriginalFilename vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 0000000A.00000002.703781417.00000000033D2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 0000000A.00000002.701989732.0000000000CF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 0000000A.00000002.703004416.0000000001479000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exeBinary or memory string: OriginalFilename vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000010.00000000.701139570.0000000000A62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exeBinary or memory string: OriginalFilenameTLq1z.exeP vs purchase order Nl32855 (1).exe
        Source: purchase order Nl32855 (1).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: qZEskWcTYJLciB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.7.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile read: C:\Users\user\Desktop\purchase order Nl32855 (1).exeJump to behavior
        Source: purchase order Nl32855 (1).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe "C:\Users\user\Desktop\purchase order Nl32855 (1).exe"
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path}
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F1D.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe "C:\Users\user\Desktop\purchase order Nl32855 (1).exe" 0
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2A39.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpE496.tmp
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path}
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpF1A6.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpD.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path}
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F1D.tmp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2A39.tmp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpE496.tmp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpF1A6.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpD.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_056015F6 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_056015BF AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile created: C:\Users\user\AppData\Roaming\qZEskWcTYJLciB.exeJump to behavior
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile created: C:\Users\user\AppData\Local\Temp\tmpB6B0.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@34/14@18/1
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6c7be0fb-d973-4d3c-b342-92a2df7c960b}
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1328:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_01
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: purchase order Nl32855 (1).exeString found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
        Source: purchase order Nl32855 (1).exeString found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
        Source: purchase order Nl32855 (1).exeString found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
        Source: purchase order Nl32855 (1).exeString found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
        Source: purchase order Nl32855 (1).exeString found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
        Source: purchase order Nl32855 (1).exeString found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
        Source: dhcpmon.exeString found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
        Source: dhcpmon.exeString found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
        Source: purchase order Nl32855 (1).exeString found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
        Source: purchase order Nl32855 (1).exeString found in binary or memory: om red to green to show if its enabled -Enable, Start/Stop, and Close buttons- The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled th
        Source: purchase order Nl32855 (1).exeString found in binary or memory: -Enable, Start/Stop, and Close buttons-
        Source: purchase order Nl32855 (1).exeString found in binary or memory: -Enable, Start/Stop, and Close buttons-
        Source: purchase order Nl32855 (1).exeString found in binary or memory: The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled the sleep timer will start, and after the sleep timer is ended it will sleep the computer. Prior to pressing the start button, the stop button will take its place. This button stops and resets the timers.
        Source: purchase order Nl32855 (1).exeString found in binary or memory: The Start/Stop button will begin the sleep process. If the Sleep Timer is not enabled, the computer will instantly go to sleep upon pressing it. If the sleep timer is enabled the sleep timer will start, and after the sleep timer is ended it will sleep the computer. Prior to pressing the start button, the stop button will take its place. This button stops and resets the timers.
        Source: purchase order Nl32855 (1).exe, ue000.csCryptographic APIs: 'CreateDecryptor'
        Source: qZEskWcTYJLciB.exe.0.dr, ue000.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.purchase order Nl32855 (1).exe.610000.0.unpack, ue000.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.purchase order Nl32855 (1).exe.610000.0.unpack, ue000.csCryptographic APIs: 'CreateDecryptor'
        Source: dhcpmon.exe.7.dr, ue000.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.0.purchase order Nl32855 (1).exe.c30000.2.unpack, ue000.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.0.purchase order Nl32855 (1).exe.c30000.9.unpack, ue000.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.0.purchase order Nl32855 (1).exe.c30000.7.unpack, ue000.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: purchase order Nl32855 (1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: purchase order Nl32855 (1).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: purchase order Nl32855 (1).exe, 00000007.00000002.917579790.0000000003411000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, dhcpmon.exe, 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: purchase order Nl32855 (1).exe, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: qZEskWcTYJLciB.exe.0.dr, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 0.2.purchase order Nl32855 (1).exe.610000.0.unpack, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 0.0.purchase order Nl32855 (1).exe.610000.0.unpack, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: dhcpmon.exe.7.dr, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.c30000.2.unpack, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.c30000.9.unpack, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.c30000.7.unpack, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.c30000.0.unpack, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.c30000.11.unpack, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.c30000.13.unpack, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.c30000.1.unpack, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.c30000.3.unpack, SmarterTrackTranslator/Form1.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_0061B846 push 00000000h; iretd
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A67E0F push es; retf
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A687E4 pushfd ; retf
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A670BB push ecx; ret
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A6789C push dword ptr [edx+76h]; iretd
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A62C6F push es; iretd
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A62C77 push es; retn A623h
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A67D68 push es; retf
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 0_2_06A67D68 push es; iretd
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_00C3B846 push 00000000h; iretd
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_00CFB846 push 00000000h; iretd
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_0856789C push dword ptr [edx+76h]; iretd
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_085670BB push ecx; ret
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 10_2_085687E4 pushfd ; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0087B846 push 00000000h; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C7E8A push es; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C7EEE push es; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C7EEE push es; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C87E4 pushfd ; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C789C push dword ptr [edx+76h]; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C70BB push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C2C75 push es; retn 9C23h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C2C6E push es; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C7D68 push es; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_069C7D68 push es; iretd
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 16_2_00A6B846 push 00000000h; iretd
        Source: initial sampleStatic PE information: section name: .text entropy: 7.63859252241
        Source: initial sampleStatic PE information: section name: .text entropy: 7.63859252241
        Source: initial sampleStatic PE information: section name: .text entropy: 7.63859252241
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile created: C:\Users\user\AppData\Roaming\qZEskWcTYJLciB.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeFile opened: C:\Users\user\Desktop\purchase order Nl32855 (1).exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.676113225.0000000002F59000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 0000000A.00000002.703802767.00000000033E9000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.713518406.0000000003229000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.676113225.0000000002F59000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 0000000A.00000002.703802767.00000000033E9000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.713518406.0000000003229000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6864Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6712Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6712Thread sleep count: 298 > 30
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6712Thread sleep count: 269 > 30
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6788Thread sleep count: 54 > 30
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6712Thread sleep count: 46 > 30
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 6684Thread sleep time: -340000s >= -30000s
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 7116Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7052Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exe TID: 5036Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2588Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2284Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5028Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeWindow / User API: foregroundWindowGot 878
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_0560181A GetSystemInfo,
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917126937.000000000149B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
        Source: dhcpmon.exe, 00000011.00000002.730911591.0000000000B80000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917126937.000000000149B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWY
        Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
        Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: purchase order Nl32855 (1).exe, 0000000A.00000002.703244929.0000000001529000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r
        Source: dhcpmon.exe, 0000000E.00000002.712642337.00000000010B4000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: dhcpmon.exe, 00000011.00000002.731551928.0000000002CE9000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeMemory written: C:\Users\user\Desktop\purchase order Nl32855 (1).exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeMemory written: C:\Users\user\Desktop\purchase order Nl32855 (1).exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path}
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F1D.tmp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2A39.tmp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpE496.tmp
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeProcess created: C:\Users\user\Desktop\purchase order Nl32855 (1).exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpF1A6.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpD.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917716998.0000000003598000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917483603.0000000001B10000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917483603.0000000001B10000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917483603.0000000001B10000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917684252.000000000353A000.00000004.00000001.sdmpBinary or memory string: Program Manager|9
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917637756.00000000034A8000.00000004.00000001.sdmpBinary or memory string: Program Manager\6
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.917874645.000000000446B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: purchase order Nl32855 (1).exe, 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917579790.0000000003411000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: purchase order Nl32855 (1).exe, 00000007.00000002.917579790.0000000003411000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: purchase order Nl32855 (1).exe, 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: purchase order Nl32855 (1).exe, 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: purchase order Nl32855 (1).exe, 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: dhcpmon.exe, 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: dhcpmon.exe, 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 27.2.dhcpmon.exe.4513ac3.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.4482490.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.434ec86.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.4353ac3.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.45194f9.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.4486ab9.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.6000000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.446db22.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48cec86.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3d93c38.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42d3c38.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.purchase order Nl32855 (1).exe.43594f9.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48d94f9.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48d94f9.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.48d3ac3.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.45194f9.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.6004629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.405d0e8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.6000000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.0.purchase order Nl32855 (1).exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.450ec86.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.purchase order Nl32855 (1).exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.purchase order Nl32855 (1).exe.4482490.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.40e14f8.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3d93c38.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.42d3c38.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.purchase order Nl32855 (1).exe.4493c38.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.purchase order Nl32855 (1).exe.4003c38.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.917874645.000000000446B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 6824, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 1668, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 4864, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: purchase order Nl32855 (1).exe PID: 5580, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7084, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6252, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5984, type: MEMORYSTR
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_05602B26 bind,
        Source: C:\Users\user\Desktop\purchase order Nl32855 (1).exeCode function: 7_2_05602AF6 bind,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture11File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery13Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery21Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion21Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol21Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 526200 Sample: purchase order Nl32855 (1).exe Startdate: 22/11/2021 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 15 other signatures 2->75 8 purchase order Nl32855 (1).exe 6 2->8         started        12 dhcpmon.exe 2->12         started        14 dhcpmon.exe 5 2->14         started        16 purchase order Nl32855 (1).exe 4 2->16         started        process3 file4 61 C:\Users\user\AppData\...\qZEskWcTYJLciB.exe, PE32 8->61 dropped 63 C:\Users\user\AppData\Local\...\tmpB6B0.tmp, XML 8->63 dropped 65 C:\...\purchase order Nl32855 (1).exe.log, ASCII 8->65 dropped 81 Injects a PE file into a foreign processes 8->81 18 purchase order Nl32855 (1).exe 1 15 8->18         started        23 schtasks.exe 1 8->23         started        25 schtasks.exe 12->25         started        27 dhcpmon.exe 12->27         started        37 2 other processes 12->37 29 schtasks.exe 14->29         started        31 dhcpmon.exe 14->31         started        33 schtasks.exe 1 16->33         started        35 purchase order Nl32855 (1).exe 16->35         started        signatures5 process6 dnsIp7 67 lizaelock.ddns.net 194.5.98.139, 49779, 49780, 49783 DANILENKODE Netherlands 18->67 55 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->55 dropped 57 C:\Users\user\AppData\Roaming\...\run.dat, data 18->57 dropped 59 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->59 dropped 77 Protects its processes via BreakOnTermination flag 18->77 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->79 39 schtasks.exe 1 18->39         started        41 schtasks.exe 1 18->41         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 conhost.exe 29->47         started        49 conhost.exe 33->49         started        file8 signatures9 process10 process11 51 conhost.exe 39->51         started        53 conhost.exe 41->53         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        purchase order Nl32855 (1).exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\qZEskWcTYJLciB.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe20%ReversingLabsByteCode-MSIL.Trojan.Mardom
        C:\Users\user\AppData\Roaming\qZEskWcTYJLciB.exe20%ReversingLabsByteCode-MSIL.Trojan.Mardom

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        7.2.purchase order Nl32855 (1).exe.4482490.4.unpack100%AviraTR/NanoCore.fadteDownload File
        20.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        20.0.dhcpmon.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        27.0.dhcpmon.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        20.0.dhcpmon.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        20.0.dhcpmon.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        16.0.purchase order Nl32855 (1).exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        16.0.purchase order Nl32855 (1).exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        7.0.purchase order Nl32855 (1).exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        16.0.purchase order Nl32855 (1).exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        7.0.purchase order Nl32855 (1).exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        16.2.purchase order Nl32855 (1).exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        27.0.dhcpmon.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        7.2.purchase order Nl32855 (1).exe.6000000.10.unpack100%AviraTR/NanoCore.fadteDownload File
        20.0.dhcpmon.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        27.0.dhcpmon.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        20.0.dhcpmon.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        16.0.purchase order Nl32855 (1).exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        27.0.dhcpmon.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        7.0.purchase order Nl32855 (1).exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        7.2.purchase order Nl32855 (1).exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        27.0.dhcpmon.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        27.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        7.0.purchase order Nl32855 (1).exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        16.0.purchase order Nl32855 (1).exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        7.0.purchase order Nl32855 (1).exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        http://www.fontbureau.commiv0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.fonts.comro0%Avira URL Cloudsafe
        http://www.tiro.com80%Avira URL Cloudsafe
        http://www.fontbureau.comcomov0%Avira URL Cloudsafe
        http://www.carterandcone.comal0%URL Reputationsafe
        http://www.tiro.com.0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.fonts.comicy0%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://tempuri.org/REFRWFWFGB.xsdX10%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.fontbureau.comtteo0%Avira URL Cloudsafe
        http://www.carterandcone.com80%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.de0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.fonts.comx0%URL Reputationsafe
        http://www.fontbureau.comueed0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.fonts.comc0%URL Reputationsafe
        http://www.carterandcone.comgy0%Avira URL Cloudsafe
        http://www.carterandcone.comc0%URL Reputationsafe
        http://www.carterandcone.comTC0%URL Reputationsafe
        http://www.fonts.comTF0%Avira URL Cloudsafe
        http://www.sandoll.co.krn0%Avira URL Cloudsafe
        lizaelock.ddns.net0%Avira URL Cloudsafe
        http://www.tiro.comcoo0%Avira URL Cloudsafe
        http://www.sajatypeworks.com-d0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.fontbureau.comiond0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.fontbureau.comlvfet0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.sajatypeworks.coma-d0%URL Reputationsafe
        http://www.fontbureau.como0%URL Reputationsafe
        http://www.sandoll.co.krl)0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        lizaelock.ddns.net
        		194.5.98.139
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          true
          • Avira URL Cloud: safe
          		low
          lizaelock.ddns.nettrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.fontbureau.com/designersGpurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.commivpurchase order Nl32855 (1).exe, 00000000.00000003.674530297.0000000005190000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designers/?purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
              		high
              http://www.founder.com.cn/cn/bThepurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fonts.comropurchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.tiro.com8purchase order Nl32855 (1).exe, 00000000.00000003.651276008.00000000051AB000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.comcomovpurchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers?purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                		high
                http://www.carterandcone.comalpurchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.tiro.com.purchase order Nl32855 (1).exe, 00000000.00000003.651256695.00000000051AB000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.tiro.compurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 00000000.00000003.651256695.00000000051AB000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fonts.comicypurchase order Nl32855 (1).exe, 00000000.00000003.651102643.00000000051AB000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designerspurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                  		high
                  http://www.goodfont.co.krpurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.compurchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/REFRWFWFGB.xsdX1purchase order Nl32855 (1).exe, 00000000.00000002.676055738.0000000002F01000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 0000000A.00000002.703727445.0000000003391000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.713454690.00000000031D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.731487632.0000000002C91000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designersNpurchase order Nl32855 (1).exe, 00000000.00000003.655572984.00000000051CD000.00000004.00000001.sdmpfalse
                    		high
                    http://www.sajatypeworks.compurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDpurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cThepurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmpurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.compurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designerserspurchase order Nl32855 (1).exe, 00000000.00000003.655412203.00000000051CD000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comtteopurchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.com8purchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersbpurchase order Nl32855 (1).exe, 00000000.00000003.656766671.00000000051CD000.00000004.00000001.sdmpfalse
                        		high
                        http://www.galapagosdesign.com/DPleasepurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fonts.compurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                          		high
                          http://www.sandoll.co.krpurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersers6purchase order Nl32855 (1).exe, 00000000.00000003.660819604.00000000051CD000.00000004.00000001.sdmpfalse
                            		high
                            http://www.urwpp.deDPleasepurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.depurchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnpurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sakkal.compurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersopurchase order Nl32855 (1).exe, 00000000.00000003.655412203.00000000051CD000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fonts.comxpurchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comueedpurchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designerstpurchase order Nl32855 (1).exe, 00000000.00000003.660853088.00000000051CD000.00000004.00000001.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.compurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/purchase order Nl32855 (1).exe, 00000000.00000003.658391644.000000000519D000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comFpurchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fonts.comcpurchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comgypurchase order Nl32855 (1).exe, 00000000.00000003.653679924.00000000051CE000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comcpurchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comTCpurchase order Nl32855 (1).exe, 00000000.00000003.653582039.00000000051CE000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fonts.comTFpurchase order Nl32855 (1).exe, 00000000.00000003.651079254.00000000051AB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sandoll.co.krnpurchase order Nl32855 (1).exe, 00000000.00000003.652184825.0000000005199000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tiro.comcoopurchase order Nl32855 (1).exe, 00000000.00000003.651301668.00000000051AB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sajatypeworks.com-dpurchase order Nl32855 (1).exe, 00000000.00000003.651123603.00000000051AB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comlpurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers)purchase order Nl32855 (1).exe, 00000000.00000003.655594413.00000000051CD000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/purchase order Nl32855 (1).exe, 00000000.00000003.653115791.0000000005194000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNpurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comiondpurchase order Nl32855 (1).exe, 00000000.00000003.656974223.0000000005194000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cnpurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-user.htmlpurchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmp, purchase order Nl32855 (1).exe, 00000000.00000003.655797740.00000000051CD000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comlvfetpurchase order Nl32855 (1).exe, 00000000.00000003.674530297.0000000005190000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.coma-dpurchase order Nl32855 (1).exe, 00000000.00000003.651123603.00000000051AB000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comopurchase order Nl32855 (1).exe, 00000000.00000003.674530297.0000000005190000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8purchase order Nl32855 (1).exe, 00000000.00000002.678469408.0000000006422000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers6purchase order Nl32855 (1).exe, 00000000.00000003.660776049.00000000051CD000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krl)purchase order Nl32855 (1).exe, 00000000.00000003.652184825.0000000005199000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.fontbureau.com/designers:purchase order Nl32855 (1).exe, 00000000.00000003.655594413.00000000051CD000.00000004.00000001.sdmpfalse
                                                		high

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                194.5.98.139
                                                		lizaelock.ddns.netNetherlands
                                                		208476DANILENKODEtrue

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:526200
                                                Start date:22.11.2021
                                                Start time:11:36:24
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 12m 34s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:purchase order Nl32855 (1).exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:36
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@34/14@18/1
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 1.8% (good quality ratio 1.6%)
                                                • Quality average: 58.3%
                                                • Quality standard deviation: 19.5%
                                                HCA Information:
                                                • Successful, ratio: 91%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                • TCP Packets have been reduced to 100
                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                11:37:20API Interceptor890x Sleep call for process: purchase order Nl32855 (1).exe modified
                                                11:37:29Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\purchase order Nl32855 (1).exe" s>$(Arg0)
                                                11:37:29AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                11:37:34Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                                11:37:35API Interceptor4x Sleep call for process: dhcpmon.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                DANILENKODE8mTwU7uNFV.exeGet hashmaliciousBrowse
                                                • 194.5.97.131
                                                KNpmkMT5f3.exeGet hashmaliciousBrowse
                                                • 194.5.98.12
                                                scvRj4lo1E.exeGet hashmaliciousBrowse
                                                • 194.5.98.11
                                                #RFQ ORDER484425083-NJ.exeGet hashmaliciousBrowse
                                                • 194.5.98.120
                                                RzUbuIerbF.exeGet hashmaliciousBrowse
                                                • 194.5.97.207
                                                SIGNED_COPY_IMG_ORDER_...REQUEST_IMG_123456.exeGet hashmaliciousBrowse
                                                • 194.5.98.5
                                                NOA MU21S0029729.exeGet hashmaliciousBrowse
                                                • 194.5.97.207
                                                New purchase order 4940009190,pdf.exeGet hashmaliciousBrowse
                                                • 194.5.97.23
                                                Fattura_del_cliente_V406307-scan.exeGet hashmaliciousBrowse
                                                • 194.5.97.165
                                                ML822VOG-R11.docGet hashmaliciousBrowse
                                                • 194.5.97.131
                                                6Xzgfme0z6.exeGet hashmaliciousBrowse
                                                • 194.5.97.131
                                                ESTADO+10+DE+NOVIEMBRE+DE+2021-101121.pdf.jsGet hashmaliciousBrowse
                                                • 194.5.98.48
                                                RTQFHtPW9x.exeGet hashmaliciousBrowse
                                                • 194.5.98.107
                                                Document#053681.exeGet hashmaliciousBrowse
                                                • 194.5.98.204
                                                4vo6jE1nlG.exeGet hashmaliciousBrowse
                                                • 194.5.97.54
                                                ORDEN DE COMPRA-PDF.exeGet hashmaliciousBrowse
                                                • 194.5.97.149
                                                Confirmation Transfer Copy MT102-Ref No#01018.exeGet hashmaliciousBrowse
                                                • 194.5.98.105
                                                Confirmation Transfer Copy MT102-Ref No-01018.exeGet hashmaliciousBrowse
                                                • 194.5.98.105
                                                PAYMENT COPY EXPORT1024 SCANNED DOCUMENT_pdf.exeGet hashmaliciousBrowse
                                                • 194.5.98.30
                                                proforma invoice.exeGet hashmaliciousBrowse
                                                • 194.5.97.24

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                Process:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):905728
                                                Entropy (8bit):7.6297829537885145
                                                Encrypted:false
                                                SSDEEP:24576:PrvL1uC0ETv0RlhBWDhor6xb39C0UxKe4:zjMC0EUWoWxbtC0Ux
                                                MD5:C466151570C893F56D548A9689155656
                                                SHA1:3E779FF5C71F319FC2D3BD4FC577C4769873C47C
                                                SHA-256:DEE5267AF261B8E291B83B01B12C4149204B20754CD1714BD974AE1DAE447A44
                                                SHA-512:3905DEA297E356FD7E79CF78FF74DD3991B982D8644DA7764490AF16E3805D0D5F4008875F84E9963A1108402A7552C2BBBC34C47CBC0BA49DB58FC5E0912D7E
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 20%
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...aA.a..............P.................. ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........4............................................................0............+G.. .D.L I...Xe [X.#X(....8m..... .L|Y.c 5._.Yf(.......#..xKs.;@(.....+.......+..(....(....,..+..+.-.s....z+...(....(..........(.....o....+..+..*......q.............+"...(.......(.......(.......(....+.(....+..*....0............+F.. .t.. .x.ae.b(....+d....f.b.cf(.......#].j...6@(......(....(.....+.......+...(....#........4.s....z+...(....o....(....+..+..*&..(.....*...0............+:.. ._..
                                                C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                Process:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview: [ZoneTransfer]....ZoneId=0
                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):664
                                                Entropy (8bit):5.288448637977022
                                                Encrypted:false
                                                SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                                MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                                SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                                SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                                SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                                Malicious:false
                                                Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\purchase order Nl32855 (1).exe.log
                                                Process:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):664
                                                Entropy (8bit):5.288448637977022
                                                Encrypted:false
                                                SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                                MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                                SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                                SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                                SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                                Malicious:true
                                                Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                                                C:\Users\user\AppData\Local\Temp\tmp1F1D.tmp
                                                Process:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1316
                                                Entropy (8bit):5.121919122223019
                                                Encrypted:false
                                                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yqoxtn:cbk4oL600QydbQxIYODOLedq3/j
                                                MD5:B3EA453FCBEB8FBF6CAB740016195F59
                                                SHA1:451555DF676B904C4DBB60658A46E29F653010EC
                                                SHA-256:2B040C3DA540034472349FC447F9937078FADD816184A7F32B4E884022591331
                                                SHA-512:B82F4B94E3AF9BE25BD2449AB63438B652F406A66DB75BF8A1C96567F0519A9E413316FC3403E778A7D51699D5318E4BC1339EE65F5608E9036BC82134ECE055
                                                Malicious:false
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                C:\Users\user\AppData\Local\Temp\tmp2A39.tmp
                                                Process:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1310
                                                Entropy (8bit):5.109425792877704
                                                Encrypted:false
                                                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                Malicious:false
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp
                                                Process:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1647
                                                Entropy (8bit):5.194002325084267
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGBtn:cbhK79lNQR/rydbz9I3YODOLNdq34
                                                MD5:F59692EC8A4A1CAF77DF808660F8773D
                                                SHA1:FB7428EEEAB5557BD7B2D86328000D0504F801D4
                                                SHA-256:D6C3A95C1A7F4725FC9DA533F37AE246913F3B247729B5560B0EC34022590C1C
                                                SHA-512:9D3FC95B70EE777A1B5605F92E124C5F4F512760C7303AE3B6914186FA9616AC384FCEE170D31DDF7F28965231F7DFFDD83CBFF932E8BEB293C4347938818B68
                                                Malicious:true
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                C:\Users\user\AppData\Local\Temp\tmpD.tmp
                                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1647
                                                Entropy (8bit):5.194002325084267
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGBtn:cbhK79lNQR/rydbz9I3YODOLNdq34
                                                MD5:F59692EC8A4A1CAF77DF808660F8773D
                                                SHA1:FB7428EEEAB5557BD7B2D86328000D0504F801D4
                                                SHA-256:D6C3A95C1A7F4725FC9DA533F37AE246913F3B247729B5560B0EC34022590C1C
                                                SHA-512:9D3FC95B70EE777A1B5605F92E124C5F4F512760C7303AE3B6914186FA9616AC384FCEE170D31DDF7F28965231F7DFFDD83CBFF932E8BEB293C4347938818B68
                                                Malicious:false
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                C:\Users\user\AppData\Local\Temp\tmpE496.tmp
                                                Process:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1647
                                                Entropy (8bit):5.194002325084267
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGBtn:cbhK79lNQR/rydbz9I3YODOLNdq34
                                                MD5:F59692EC8A4A1CAF77DF808660F8773D
                                                SHA1:FB7428EEEAB5557BD7B2D86328000D0504F801D4
                                                SHA-256:D6C3A95C1A7F4725FC9DA533F37AE246913F3B247729B5560B0EC34022590C1C
                                                SHA-512:9D3FC95B70EE777A1B5605F92E124C5F4F512760C7303AE3B6914186FA9616AC384FCEE170D31DDF7F28965231F7DFFDD83CBFF932E8BEB293C4347938818B68
                                                Malicious:false
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                C:\Users\user\AppData\Local\Temp\tmpF1A6.tmp
                                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1647
                                                Entropy (8bit):5.194002325084267
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGBtn:cbhK79lNQR/rydbz9I3YODOLNdq34
                                                MD5:F59692EC8A4A1CAF77DF808660F8773D
                                                SHA1:FB7428EEEAB5557BD7B2D86328000D0504F801D4
                                                SHA-256:D6C3A95C1A7F4725FC9DA533F37AE246913F3B247729B5560B0EC34022590C1C
                                                SHA-512:9D3FC95B70EE777A1B5605F92E124C5F4F512760C7303AE3B6914186FA9616AC384FCEE170D31DDF7F28965231F7DFFDD83CBFF932E8BEB293C4347938818B68
                                                Malicious:false
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                Process:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):248
                                                Entropy (8bit):7.094528505897445
                                                Encrypted:false
                                                SSDEEP:6:X4LDAnybgCFcpJSQwP4d7r3l3TmKEt5mT1DhFtMhXvvHOxHB3GDq:X4LEnybgCFCtvd7bl3ThE4T19FtMhXvs
                                                MD5:061E700FE27D852034A5A44BF5985CCF
                                                SHA1:15B072DE6D6FDD92AE36F074345FA41985833E8D
                                                SHA-256:4BBB88AF530693EB4A710B0591D4BAF585837242C5690F5A821BF2FC9CC587CD
                                                SHA-512:CF6C5458AB50C859740490985D1E7E887D1116F3FA947FF2EC49AF9997A42F3402C63EF42B93498544195D9859FBB19CCC295966564B30F5ADB4A36D4E8886C6
                                                Malicious:false
                                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.w
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                Process:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8
                                                Entropy (8bit):3.0
                                                Encrypted:false
                                                SSDEEP:3:qxUn:qGn
                                                MD5:70C5D1CA98E20B48E039DC2D2F27E9AC
                                                SHA1:1FF2A12B26BBF01273382148CBD51F620C9E9F37
                                                SHA-256:AF8F8563BFAE6FA1C9533608D08204BB60F1B493526451F31946600293BA5E93
                                                SHA-512:415E287E7359A1586B8A0AF6F04E19EA692B22BE0337D0B3ADB374D37F81749695B923C7CE5577D696CDD0F633F150B18D901A28D96B2B81FD706E7C3F646981
                                                Malicious:true
                                                Preview: I......H
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                Process:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):53
                                                Entropy (8bit):4.581299701107217
                                                Encrypted:false
                                                SSDEEP:3:oNt+WfWVQXPlKRAXviFJ:oNwv6flAAXsJ
                                                MD5:39C4FD27C1A6910541DD4EDC5CE47CF3
                                                SHA1:0CE74106ADF74582B293815D490CBA3ED810D48A
                                                SHA-256:89D32A70C724C479490D80EF9840196B498283C1EB5E83A7E753B5BD3DB0461A
                                                SHA-512:910192D172B971BBDD30E3A693876738DB5E43C010A99C8BA3A59498F906F3FC3B61560A05A2311A594DC948BB9FA6DAA39BFD28635FA240C417C6C403D79BE4
                                                Malicious:false
                                                Preview: C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                C:\Users\user\AppData\Roaming\qZEskWcTYJLciB.exe
                                                Process:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):905728
                                                Entropy (8bit):7.6297829537885145
                                                Encrypted:false
                                                SSDEEP:24576:PrvL1uC0ETv0RlhBWDhor6xb39C0UxKe4:zjMC0EUWoWxbtC0Ux
                                                MD5:C466151570C893F56D548A9689155656
                                                SHA1:3E779FF5C71F319FC2D3BD4FC577C4769873C47C
                                                SHA-256:DEE5267AF261B8E291B83B01B12C4149204B20754CD1714BD974AE1DAE447A44
                                                SHA-512:3905DEA297E356FD7E79CF78FF74DD3991B982D8644DA7764490AF16E3805D0D5F4008875F84E9963A1108402A7552C2BBBC34C47CBC0BA49DB58FC5E0912D7E
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 20%
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...aA.a..............P.................. ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........4............................................................0............+G.. .D.L I...Xe [X.#X(....8m..... .L|Y.c 5._.Yf(.......#..xKs.;@(.....+.......+..(....(....,..+..+.-.s....z+...(....(..........(.....o....+..+..*......q.............+"...(.......(.......(.......(....+.(....+..*....0............+F.. .t.. .x.ae.b(....+d....f.b.cf(.......#].j...6@(......(....(.....+.......+...(....#........4.s....z+...(....o....(....+..+..*&..(.....*...0............+:.. ._..

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.6297829537885145
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:purchase order Nl32855 (1).exe
                                                File size:905728
                                                MD5:c466151570c893f56d548a9689155656
                                                SHA1:3e779ff5c71f319fc2d3bd4fc577c4769873c47c
                                                SHA256:dee5267af261b8e291b83b01b12c4149204b20754cd1714bd974ae1dae447a44
                                                SHA512:3905dea297e356fd7e79cf78ff74dd3991b982d8644da7764490af16e3805d0d5f4008875f84e9963a1108402a7552c2bbbc34c47cbc0ba49db58fc5e0912d7e
                                                SSDEEP:24576:PrvL1uC0ETv0RlhBWDhor6xb39C0UxKe4:zjMC0EUWoWxbtC0Ux
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...aA.a..............P.................. ........@.. ....................... ............@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x4ddb1e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x619A4161 [Sun Nov 21 12:53:53 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v2.0.50727
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xddac40x57.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xde0000x1200.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xe00000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xdbb240xdbc00False0.766134945606data7.63859252241IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0xde0000x12000x1200False0.366970486111data4.74333942103IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xe00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0xde0900x3b8COM executable for DOS
                                                RT_MANIFEST0xde4580xbfcXML 1.0 document, UTF-8 Unicode (with BOM) text

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright 2020 Jesper Hy
                                                Assembly Version0.1.4.0
                                                InternalNameTLq1z.exe
                                                FileVersion0.1.4.0
                                                CompanyName
                                                LegalTrademarks
                                                CommentsCreate and update SmarterTrack translation files
                                                ProductNameSmarterTrack Translator
                                                ProductVersion0.1.4.0
                                                FileDescriptionSmarterTrack Translator
                                                OriginalFilenameTLq1z.exe

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                11/22/21-11:37:34.054226TCP2025019ET TROJAN Possible NanoCore C2 60B4977952149192.168.2.4194.5.98.139
                                                11/22/21-11:37:39.981039UDP254DNS SPOOF query response with TTL of 1 min. and no authority53645498.8.8.8192.168.2.4
                                                11/22/21-11:37:40.280703TCP2025019ET TROJAN Possible NanoCore C2 60B4978052149192.168.2.4194.5.98.139
                                                11/22/21-11:37:45.790795TCP2025019ET TROJAN Possible NanoCore C2 60B4978352149192.168.2.4194.5.98.139
                                                11/22/21-11:37:50.784357UDP254DNS SPOOF query response with TTL of 1 min. and no authority53537008.8.8.8192.168.2.4
                                                11/22/21-11:37:51.093945TCP2025019ET TROJAN Possible NanoCore C2 60B4978452149192.168.2.4194.5.98.139
                                                11/22/21-11:37:56.610307TCP2025019ET TROJAN Possible NanoCore C2 60B4978552149192.168.2.4194.5.98.139
                                                11/22/21-11:38:02.474522UDP254DNS SPOOF query response with TTL of 1 min. and no authority53567948.8.8.8192.168.2.4
                                                11/22/21-11:38:02.840365TCP2025019ET TROJAN Possible NanoCore C2 60B4978652149192.168.2.4194.5.98.139
                                                11/22/21-11:38:09.136075TCP2025019ET TROJAN Possible NanoCore C2 60B4978852149192.168.2.4194.5.98.139
                                                11/22/21-11:38:15.386754TCP2025019ET TROJAN Possible NanoCore C2 60B4979452149192.168.2.4194.5.98.139
                                                11/22/21-11:38:20.593700TCP2025019ET TROJAN Possible NanoCore C2 60B4982352149192.168.2.4194.5.98.139
                                                11/22/21-11:38:27.289261TCP2025019ET TROJAN Possible NanoCore C2 60B4982552149192.168.2.4194.5.98.139
                                                11/22/21-11:38:33.447629TCP2025019ET TROJAN Possible NanoCore C2 60B4983152149192.168.2.4194.5.98.139
                                                11/22/21-11:38:39.313657UDP254DNS SPOOF query response with TTL of 1 min. and no authority53564488.8.8.8192.168.2.4
                                                11/22/21-11:38:39.748357TCP2025019ET TROJAN Possible NanoCore C2 60B4983352149192.168.2.4194.5.98.139
                                                11/22/21-11:38:45.971112TCP2025019ET TROJAN Possible NanoCore C2 60B4985252149192.168.2.4194.5.98.139
                                                11/22/21-11:38:52.042406UDP254DNS SPOOF query response with TTL of 1 min. and no authority53624208.8.8.8192.168.2.4
                                                11/22/21-11:38:52.332306TCP2025019ET TROJAN Possible NanoCore C2 60B4985752149192.168.2.4194.5.98.139
                                                11/22/21-11:38:58.397492UDP254DNS SPOOF query response with TTL of 1 min. and no authority53501838.8.8.8192.168.2.4
                                                11/22/21-11:38:58.714276TCP2025019ET TROJAN Possible NanoCore C2 60B4986052149192.168.2.4194.5.98.139
                                                11/22/21-11:39:05.164608TCP2025019ET TROJAN Possible NanoCore C2 60B4986352149192.168.2.4194.5.98.139
                                                11/22/21-11:39:11.138794UDP254DNS SPOOF query response with TTL of 1 min. and no authority53597948.8.8.8192.168.2.4
                                                11/22/21-11:39:11.560279TCP2025019ET TROJAN Possible NanoCore C2 60B4986452149192.168.2.4194.5.98.139
                                                11/22/21-11:39:17.458297UDP254DNS SPOOF query response with TTL of 1 min. and no authority53559168.8.8.8192.168.2.4
                                                11/22/21-11:39:17.857507TCP2025019ET TROJAN Possible NanoCore C2 60B4986552149192.168.2.4194.5.98.139

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 22, 2021 11:37:33.657563925 CET4977952149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:33.960642099 CET5214949779194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:33.961040020 CET4977952149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:34.054225922 CET4977952149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:34.517971992 CET5214949779194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:34.518070936 CET4977952149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:34.915007114 CET5214949779194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:34.915110111 CET4977952149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:35.310714960 CET5214949779194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:35.310930014 CET4977952149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:35.896308899 CET4977952149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:36.023711920 CET5214949779194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:36.023832083 CET4977952149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:36.215755939 CET5214949779194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:36.215831041 CET4977952149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:39.988539934 CET4978052149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:40.279763937 CET5214949780194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:40.279978037 CET4978052149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:40.280703068 CET4978052149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:40.699724913 CET5214949780194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:40.700011015 CET4978052149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:41.146317005 CET5214949780194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:41.147171974 CET4978052149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:41.302428961 CET4978052149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:41.485635996 CET5214949780194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:41.485831022 CET4978052149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:45.393707991 CET4978352149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:45.790220022 CET5214949783194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:45.790426016 CET4978352149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:45.790795088 CET4978352149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:46.104109049 CET5214949783194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:46.104252100 CET4978352149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:46.468703032 CET5214949783194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:46.468924046 CET4978352149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:46.710056067 CET4978352149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:46.835602999 CET5214949783194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:46.835834980 CET4978352149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:50.786201954 CET4978452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:51.085680008 CET5214949784194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:51.085799932 CET4978452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:51.093945026 CET4978452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:51.488317013 CET5214949784194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:51.488501072 CET4978452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:51.940798044 CET5214949784194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:51.943435907 CET4978452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:52.131788015 CET4978452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:52.404635906 CET5214949784194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:52.404736996 CET4978452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:56.289096117 CET4978552149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:56.608742952 CET5214949785194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:56.609030962 CET4978552149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:56.610306978 CET4978552149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:57.003567934 CET5214949785194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:57.003751040 CET4978552149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:57.377401114 CET5214949785194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:57.377629042 CET4978552149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:58.069046021 CET4978552149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:58.315309048 CET5214949785194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:58.382075071 CET4978552149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:37:58.889358044 CET5214949785194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:37:58.889478922 CET4978552149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:02.476890087 CET4978652149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:02.839351892 CET5214949786194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:02.839615107 CET4978652149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:02.840364933 CET4978652149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:03.286972046 CET5214949786194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:03.287015915 CET5214949786194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:03.287174940 CET4978652149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:03.767981052 CET5214949786194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:03.768172979 CET4978652149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:04.200131893 CET5214949786194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:04.200242043 CET4978652149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:04.710655928 CET4978652149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:04.744462967 CET5214949786194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:04.744534016 CET4978652149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:08.817971945 CET4978852149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:09.129748106 CET5214949788194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:09.129883051 CET4978852149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:09.136075020 CET4978852149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:09.765876055 CET5214949788194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:09.768234015 CET4978852149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:10.345861912 CET5214949788194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:10.346057892 CET4978852149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:10.608611107 CET5214949788194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:10.608689070 CET4978852149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:11.039442062 CET4978852149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:11.068403006 CET5214949788194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:11.068568945 CET4978852149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:15.109191895 CET4979452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:15.385238886 CET5214949794194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:15.385507107 CET4979452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:15.386754036 CET4979452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:15.767769098 CET5214949794194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:15.767862082 CET4979452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:15.808629990 CET5214949794194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:15.809287071 CET4979452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:16.051676989 CET4979452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:16.111615896 CET5214949794194.5.98.139192.168.2.4
                                                Nov 22, 2021 11:38:16.111705065 CET4979452149192.168.2.4194.5.98.139
                                                Nov 22, 2021 11:38:16.228950977 CET5214949794194.5.98.139192.168.2.4

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 22, 2021 11:37:33.626980066 CET5585453192.168.2.48.8.8.8
                                                Nov 22, 2021 11:37:33.647224903 CET53558548.8.8.8192.168.2.4
                                                Nov 22, 2021 11:37:39.959726095 CET6454953192.168.2.48.8.8.8
                                                Nov 22, 2021 11:37:39.981039047 CET53645498.8.8.8192.168.2.4
                                                Nov 22, 2021 11:37:45.372292995 CET5299153192.168.2.48.8.8.8
                                                Nov 22, 2021 11:37:45.391844988 CET53529918.8.8.8192.168.2.4
                                                Nov 22, 2021 11:37:50.764760971 CET5370053192.168.2.48.8.8.8
                                                Nov 22, 2021 11:37:50.784357071 CET53537008.8.8.8192.168.2.4
                                                Nov 22, 2021 11:37:56.182887077 CET5172653192.168.2.48.8.8.8
                                                Nov 22, 2021 11:37:56.202613115 CET53517268.8.8.8192.168.2.4
                                                Nov 22, 2021 11:38:02.453110933 CET5679453192.168.2.48.8.8.8
                                                Nov 22, 2021 11:38:02.474522114 CET53567948.8.8.8192.168.2.4
                                                Nov 22, 2021 11:38:08.798513889 CET5662753192.168.2.48.8.8.8
                                                Nov 22, 2021 11:38:08.816556931 CET53566278.8.8.8192.168.2.4
                                                Nov 22, 2021 11:38:15.088176966 CET6172153192.168.2.48.8.8.8
                                                Nov 22, 2021 11:38:15.107410908 CET53617218.8.8.8192.168.2.4
                                                Nov 22, 2021 11:38:20.087798119 CET4961253192.168.2.48.8.8.8
                                                Nov 22, 2021 11:38:20.107250929 CET53496128.8.8.8192.168.2.4
                                                Nov 22, 2021 11:38:26.719784975 CET4928553192.168.2.48.8.8.8
                                                Nov 22, 2021 11:38:26.739308119 CET53492858.8.8.8192.168.2.4
                                                Nov 22, 2021 11:38:33.171699047 CET6087553192.168.2.48.8.8.8
                                                Nov 22, 2021 11:38:33.191854000 CET53608758.8.8.8192.168.2.4
                                                Nov 22, 2021 11:38:39.291726112 CET5644853192.168.2.48.8.8.8
                                                Nov 22, 2021 11:38:39.313657045 CET53564488.8.8.8192.168.2.4
                                                Nov 22, 2021 11:38:45.632385969 CET5917253192.168.2.48.8.8.8
                                                Nov 22, 2021 11:38:45.652359962 CET53591728.8.8.8192.168.2.4
                                                Nov 22, 2021 11:38:52.021179914 CET6242053192.168.2.48.8.8.8
                                                Nov 22, 2021 11:38:52.042406082 CET53624208.8.8.8192.168.2.4
                                                Nov 22, 2021 11:38:58.375895023 CET5018353192.168.2.48.8.8.8
                                                Nov 22, 2021 11:38:58.397491932 CET53501838.8.8.8192.168.2.4
                                                Nov 22, 2021 11:39:04.771280050 CET4922853192.168.2.48.8.8.8
                                                Nov 22, 2021 11:39:04.789175987 CET53492288.8.8.8192.168.2.4
                                                Nov 22, 2021 11:39:11.117847919 CET5979453192.168.2.48.8.8.8
                                                Nov 22, 2021 11:39:11.138793945 CET53597948.8.8.8192.168.2.4
                                                Nov 22, 2021 11:39:17.438092947 CET5591653192.168.2.48.8.8.8
                                                Nov 22, 2021 11:39:17.458297014 CET53559168.8.8.8192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Nov 22, 2021 11:37:33.626980066 CET192.168.2.48.8.8.80xea7eStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:37:39.959726095 CET192.168.2.48.8.8.80xb95cStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:37:45.372292995 CET192.168.2.48.8.8.80x5a37Standard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:37:50.764760971 CET192.168.2.48.8.8.80xcbbaStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:37:56.182887077 CET192.168.2.48.8.8.80xf125Standard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:02.453110933 CET192.168.2.48.8.8.80x210Standard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:08.798513889 CET192.168.2.48.8.8.80xd416Standard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:15.088176966 CET192.168.2.48.8.8.80x396cStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:20.087798119 CET192.168.2.48.8.8.80xc84cStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:26.719784975 CET192.168.2.48.8.8.80xb72bStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:33.171699047 CET192.168.2.48.8.8.80x486fStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:39.291726112 CET192.168.2.48.8.8.80x1b2fStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:45.632385969 CET192.168.2.48.8.8.80x97fcStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:52.021179914 CET192.168.2.48.8.8.80x80caStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:58.375895023 CET192.168.2.48.8.8.80x122eStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:39:04.771280050 CET192.168.2.48.8.8.80x8969Standard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:39:11.117847919 CET192.168.2.48.8.8.80x207eStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)
                                                Nov 22, 2021 11:39:17.438092947 CET192.168.2.48.8.8.80x5edaStandard query (0)lizaelock.ddns.netA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Nov 22, 2021 11:37:33.647224903 CET8.8.8.8192.168.2.40xea7eNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:37:39.981039047 CET8.8.8.8192.168.2.40xb95cNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:37:45.391844988 CET8.8.8.8192.168.2.40x5a37No error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:37:50.784357071 CET8.8.8.8192.168.2.40xcbbaNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:37:56.202613115 CET8.8.8.8192.168.2.40xf125No error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:02.474522114 CET8.8.8.8192.168.2.40x210No error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:08.816556931 CET8.8.8.8192.168.2.40xd416No error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:15.107410908 CET8.8.8.8192.168.2.40x396cNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:20.107250929 CET8.8.8.8192.168.2.40xc84cNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:26.739308119 CET8.8.8.8192.168.2.40xb72bNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:33.191854000 CET8.8.8.8192.168.2.40x486fNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:39.313657045 CET8.8.8.8192.168.2.40x1b2fNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:45.652359962 CET8.8.8.8192.168.2.40x97fcNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:52.042406082 CET8.8.8.8192.168.2.40x80caNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:38:58.397491932 CET8.8.8.8192.168.2.40x122eNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:39:04.789175987 CET8.8.8.8192.168.2.40x8969No error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:39:11.138793945 CET8.8.8.8192.168.2.40x207eNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)
                                                Nov 22, 2021 11:39:17.458297014 CET8.8.8.8192.168.2.40x5edaNo error (0)lizaelock.ddns.net194.5.98.139A (IP address)IN (0x0001)

                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: purchase order Nl32855 (1).exe PID: 6824 Parent PID: 6012

                                                General

                                                Start time:11:37:14
                                                Start date:22/11/2021
                                                Path:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\purchase order Nl32855 (1).exe"
                                                Imagebase:0x610000
                                                File size:905728 bytes
                                                MD5 hash:C466151570C893F56D548A9689155656
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.677615387.0000000003F01000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Analysis Process: schtasks.exe PID: 5936 Parent PID: 6824

                                                General

                                                Start time:11:37:22
                                                Start date:22/11/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpB6B0.tmp
                                                Imagebase:0xc20000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 1328 Parent PID: 5936

                                                General

                                                Start time:11:37:23
                                                Start date:22/11/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: purchase order Nl32855 (1).exe PID: 1668 Parent PID: 6824

                                                General

                                                Start time:11:37:24
                                                Start date:22/11/2021
                                                Path:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                Wow64 process (32bit):true
                                                Commandline:{path}
                                                Imagebase:0xc30000
                                                File size:905728 bytes
                                                MD5 hash:C466151570C893F56D548A9689155656
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.922693720.0000000006000000.00000004.00020000.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000000.672319406.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.917874645.000000000446B000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.922681658.0000000005FF0000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.922681658.0000000005FF0000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.915976815.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000000.672759409.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.922602924.0000000005D50000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.922602924.0000000005D50000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000000.673837687.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000000.673297217.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Analysis Process: schtasks.exe PID: 3396 Parent PID: 1668

                                                General

                                                Start time:11:37:27
                                                Start date:22/11/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F1D.tmp
                                                Imagebase:0xc20000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 5732 Parent PID: 3396

                                                General

                                                Start time:11:37:28
                                                Start date:22/11/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: purchase order Nl32855 (1).exe PID: 4864 Parent PID: 968

                                                General

                                                Start time:11:37:29
                                                Start date:22/11/2021
                                                Path:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\purchase order Nl32855 (1).exe" 0
                                                Imagebase:0xcf0000
                                                File size:905728 bytes
                                                MD5 hash:C466151570C893F56D548A9689155656
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.704899996.0000000004391000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Analysis Process: schtasks.exe PID: 3296 Parent PID: 1668

                                                General

                                                Start time:11:37:32
                                                Start date:22/11/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2A39.tmp
                                                Imagebase:0xc20000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 5648 Parent PID: 3296

                                                General

                                                Start time:11:37:32
                                                Start date:22/11/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: schtasks.exe PID: 6764 Parent PID: 4864

                                                General

                                                Start time:11:37:34
                                                Start date:22/11/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpE496.tmp
                                                Imagebase:0xc20000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: dhcpmon.exe PID: 6700 Parent PID: 968

                                                General

                                                Start time:11:37:34
                                                Start date:22/11/2021
                                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                                Imagebase:0x870000
                                                File size:905728 bytes
                                                MD5 hash:C466151570C893F56D548A9689155656
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.715852193.00000000041D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 20%, ReversingLabs
                                                Reputation:low

                                                Analysis Process: conhost.exe PID: 7028 Parent PID: 6764

                                                General

                                                Start time:11:37:35
                                                Start date:22/11/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: purchase order Nl32855 (1).exe PID: 5580 Parent PID: 4864

                                                General

                                                Start time:11:37:36
                                                Start date:22/11/2021
                                                Path:C:\Users\user\Desktop\purchase order Nl32855 (1).exe
                                                Wow64 process (32bit):true
                                                Commandline:{path}
                                                Imagebase:0xa60000
                                                File size:905728 bytes
                                                MD5 hash:C466151570C893F56D548A9689155656
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.700142323.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.699611919.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.698759095.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.716328250.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.717558485.0000000004301000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.717504195.0000000003301000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.700948566.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Analysis Process: dhcpmon.exe PID: 7084 Parent PID: 3424

                                                General

                                                Start time:11:37:37
                                                Start date:22/11/2021
                                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                                Imagebase:0x3c0000
                                                File size:905728 bytes
                                                MD5 hash:C466151570C893F56D548A9689155656
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.732518649.0000000003C91000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Analysis Process: schtasks.exe PID: 7044 Parent PID: 6700

                                                General

                                                Start time:11:37:37
                                                Start date:22/11/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpF1A6.tmp
                                                Imagebase:0xc20000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 4592 Parent PID: 7044

                                                General

                                                Start time:11:37:38
                                                Start date:22/11/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: dhcpmon.exe PID: 6252 Parent PID: 6700

                                                General

                                                Start time:11:37:39
                                                Start date:22/11/2021
                                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                Wow64 process (32bit):true
                                                Commandline:{path}
                                                Imagebase:0xfd0000
                                                File size:905728 bytes
                                                MD5 hash:C466151570C893F56D548A9689155656
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.729145629.0000000004881000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000014.00000000.710553542.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000014.00000000.708011695.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000014.00000000.709668715.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.728891545.0000000003881000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.728031423.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000014.00000000.708878421.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                                Analysis Process: schtasks.exe PID: 6864 Parent PID: 7084

                                                General

                                                Start time:11:37:41
                                                Start date:22/11/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZEskWcTYJLciB" /XML "C:\Users\user\AppData\Local\Temp\tmpD.tmp
                                                Imagebase:0xc20000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language

                                                Analysis Process: conhost.exe PID: 7152 Parent PID: 6864

                                                General

                                                Start time:11:37:42
                                                Start date:22/11/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language

                                                Analysis Process: dhcpmon.exe PID: 5820 Parent PID: 7084

                                                General

                                                Start time:11:37:43
                                                Start date:22/11/2021
                                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                Wow64 process (32bit):false
                                                Commandline:{path}
                                                Imagebase:0x20000
                                                File size:905728 bytes
                                                MD5 hash:C466151570C893F56D548A9689155656
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language

                                                Analysis Process: dhcpmon.exe PID: 2044 Parent PID: 7084

                                                General

                                                Start time:11:37:45
                                                Start date:22/11/2021
                                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                Wow64 process (32bit):false
                                                Commandline:{path}
                                                Imagebase:0x320000
                                                File size:905728 bytes
                                                MD5 hash:C466151570C893F56D548A9689155656
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language

                                                Analysis Process: dhcpmon.exe PID: 5984 Parent PID: 7084

                                                General

                                                Start time:11:37:46
                                                Start date:22/11/2021
                                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                Wow64 process (32bit):true
                                                Commandline:{path}
                                                Imagebase:0xd40000
                                                File size:905728 bytes
                                                MD5 hash:C466151570C893F56D548A9689155656
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.744724197.00000000044C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000001B.00000000.727842390.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.744635827.00000000034C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000001B.00000000.727053343.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000001B.00000000.726440276.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000001B.00000000.728365037.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.743854657.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                                Disassembly

                                                Code Analysis

                                                Reset < >