Loading ...

Play interactive tourEdit tour

Analysis Report VIETAZ TRADING CO - ITEMS LIST.exe

Overview

General Information

Sample Name:VIETAZ TRADING CO - ITEMS LIST.exe
Analysis ID:255508
MD5:a296a20f034e1bbb8a7def685cff14ba
SHA1:ea1607d91c15e395b1f815010b91c3e607e55721
SHA256:43978c54ae195f6985cd3170246f6bd6214e36ab14aadb8e753488bee36beef3

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • VIETAZ TRADING CO - ITEMS LIST.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe' MD5: A296A20F034E1BBB8A7DEF685CFF14BA)
    • schtasks.exe (PID: 5104 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • MpCmdRun.exe (PID: 4936 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
          • conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
VIETAZ TRADING CO - ITEMS LIST.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x19591:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\&startupname&.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x19591:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.233676172.00000000008F2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x19391:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000000.223418100.00000000008F2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x19391:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000004.00000002.498502303.0000000005F20000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000004.00000002.498502303.0000000005F20000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000004.00000002.498502303.0000000005F20000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 18 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      0.0.VIETAZ TRADING CO - ITEMS LIST.exe.8f0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x19591:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      Click to see the 11 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe, ProcessId: 6164, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe' , ParentImage: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe, ParentProcessId: 7052, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp', ProcessId: 5104

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.498502303.0000000005F20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.236131678.0000000003FA5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.495741892.00000000045F7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.490340514.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: VIETAZ TRADING CO - ITEMS LIST.exe PID: 6164, type: MEMORY
      Source: Yara matchFile source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5f20000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5f20000.5.raw.unpack, type: UNPACKEDPE

      Networking:

      barindex
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 91.192.100.25 ports 56372,2,3,5,6,7
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: billion1920.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.3:49725 -> 91.192.100.25:56372
      Source: unknownDNS traffic detected: queries for: billion1920.duckdns.org
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.498502303.0000000005F20000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.498502303.0000000005F20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.236131678.0000000003FA5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.495741892.00000000045F7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.490340514.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: VIETAZ TRADING CO - ITEMS LIST.exe PID: 6164, type: MEMORY
      Source: Yara matchFile source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5f20000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5f20000.5.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000004.00000002.498502303.0000000005F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.236131678.0000000003FA5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.236131678.0000000003FA5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.495741892.00000000045F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.490340514.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.490340514.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.498413471.0000000005B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: VIETAZ TRADING CO - ITEMS LIST.exe PID: 6164, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: VIETAZ TRADING CO - ITEMS LIST.exe PID: 6164, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5b70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5f20000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5f20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_02A7B2CE NtQuerySystemInformation,0_2_02A7B2CE
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_02A7B293 NtQuerySystemInformation,0_2_02A7B293
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_05911842 NtQuerySystemInformation,4_2_05911842
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_05911807 NtQuerySystemInformation,4_2_05911807
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_008FA7290_2_008FA729
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_008F43B70_2_008F43B7
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_008F69710_2_008F6971
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_04F90D680_2_04F90D68
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_04F910600_2_04F91060
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_04F90A890_2_04F90A89
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_04F910510_2_04F91051
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_04F901100_2_04F90110
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_04F901000_2_04F90100
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_0518D5100_2_0518D510
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_0518D9080_2_0518D908
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_05182D010_2_05182D01
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051849600_2_05184960
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051859980_2_05185998
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051815880_2_05181588
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051850780_2_05185078
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051868880_2_05186888
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051828800_2_05182880
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_05188B100_2_05188B10
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051803300_2_05180330
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_0518FE200_2_0518FE20
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_0518FAB00_2_0518FAB0
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051809110_2_05180911
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051885080_2_05188508
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051885020_2_05188502
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051889580_2_05188958
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_0518495A0_2_0518495A
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051889480_2_05188948
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_0518BDE80_2_0518BDE8
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051858100_2_05185810
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051854AA0_2_051854AA
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051848AF0_2_051848AF
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051894F90_2_051894F9
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051887100_2_05188710
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_05187F300_2_05187F30
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051887200_2_05188720
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_05187F400_2_05187F40
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051867880_2_05186788
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_0518C3B80_2_0518C3B8
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051873B00_2_051873B0
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051803D20_2_051803D2
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_051816300_2_05181630
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_0518DE280_2_0518DE28
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_0518CE480_2_0518CE48
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_00F569714_2_00F56971
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_00F543B74_2_00F543B7
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_00F5A7294_2_00F5A729
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_01807AC14_2_01807AC1
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_057EAD384_2_057EAD38
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_057E84684_2_057E8468
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_057E90684_2_057E9068
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_057E38504_2_057E3850
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_057E2FA84_2_057E2FA8
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_057E23A04_2_057E23A0
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_057E912F4_2_057E912F
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_057E306F4_2_057E306F
      Source: VIETAZ TRADING CO - ITEMS LIST.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: &startupname&.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.237661835.00000000061D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000003.229738349.0000000000FD7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNWgYz.exe4 vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.237105691.0000000005240000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.237442892.00000000056B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.237815056.00000000062C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.237815056.00000000062C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.236996076.00000000051E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000000.233094176.0000000000FE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNWgYz.exe4 vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.498377328.0000000005B10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.498219778.0000000005900000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.498502303.0000000005F20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.498502303.0000000005F20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.495741892.00000000045F7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.498713388.0000000006B90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exeBinary or memory string: OriginalFilenameNWgYz.exe4 vs VIETAZ TRADING CO - ITEMS LIST.exe
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000002.233676172.00000000008F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000000.223418100.00000000008F2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000004.00000002.498502303.0000000005F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.498502303.0000000005F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000000.233031180.0000000000F52000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000002.236131678.0000000003FA5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.236131678.0000000003FA5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.495741892.00000000045F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.490464874.0000000000F52000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000004.00000002.490340514.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.490340514.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.498413471.0000000005B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.498413471.0000000005B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: Process Memory Space: VIETAZ TRADING CO - ITEMS LIST.exe PID: 7052, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: VIETAZ TRADING CO - ITEMS LIST.exe PID: 6164, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: VIETAZ TRADING CO - ITEMS LIST.exe PID: 6164, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: VIETAZ TRADING CO - ITEMS LIST.exe PID: 6164, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\AppData\Local\Temp\&startupname&.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.0.VIETAZ TRADING CO - ITEMS LIST.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5b70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5b70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.f50000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.2.VIETAZ TRADING CO - ITEMS LIST.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 4.0.VIETAZ TRADING CO - ITEMS LIST.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5f20000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5f20000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5f20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.5f20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: VIETAZ TRADING CO - ITEMS LIST.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: &startupname&.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@8/6@13/1
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_02A7AD1A AdjustTokenPrivileges,0_2_02A7AD1A
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_02A7ACE3 AdjustTokenPrivileges,0_2_02A7ACE3
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_05911602 AdjustTokenPrivileges,4_2_05911602
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_059115CB AdjustTokenPrivileges,4_2_059115CB
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\VIETAZ TRADING CO - ITEMS LIST.exe.logJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6748:120:WilError_01
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_01
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{aa99d9f5-5722-4e07-9fc2-f779c77bfa3a}
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to behavior
      Source: VIETAZ TRADING CO - ITEMS LIST.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeFile read: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe 'C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe {path}
      Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess created: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: VIETAZ TRADING CO - ITEMS LIST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: VIETAZ TRADING CO - ITEMS LIST.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: mscorrc.pdb source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.236996076.00000000051E0000.00000002.00000001.sdmp, VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.498377328.0000000005B10000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_05189029 push edi; ret 0_2_0518902A
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_0518AC7E pushfd ; iretd 0_2_0518AC7F
      Source: initial sampleStatic PE information: section name: .text entropy: 7.68317743147
      Source: initial sampleStatic PE information: section name: .text entropy: 7.68317743147
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 4.2.VIETAZ TRADING CO - ITEMS LIST.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeFile created: \vietaz trading co - items list.exeJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeFile created: \vietaz trading co - items list.exeJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeFile opened: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: VIETAZ TRADING CO - ITEMS LIST.exe PID: 7052, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.234788909.0000000002F5C000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.234788909.0000000002F5C000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeWindow / User API: threadDelayed 1323Jump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeWindow / User API: foregroundWindowGot 926Jump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe TID: 7056Thread sleep time: -38000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe TID: 7080Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe TID: 6156Thread sleep time: -1844674407370954s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe TID: 6184Thread sleep time: -100000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 4_2_0591132A GetSystemInfo,4_2_0591132A
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.498713388.0000000006B90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.234788909.0000000002F5C000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.234788909.0000000002F5C000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.234788909.0000000002F5C000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.234788909.0000000002F5C000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.234788909.0000000002F5C000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.498713388.0000000006B90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.498713388.0000000006B90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.234788909.0000000002F5C000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.234788909.0000000002F5C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000000.00000002.234788909.0000000002F5C000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.498713388.0000000006B90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeCode function: 0_2_02A7A172 CheckRemoteDebuggerPresent,0_2_02A7A172
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeMemory written: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exeProcess created: C:\Users\user\Desktop\VIETAZ TRADING CO - ITEMS LIST.exe {path}Jump to behavior
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.491168576.0000000001700000.00000004.00000020.sdmpBinary or memory string: Program Manager
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.491690052.0000000001D00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.491690052.0000000001D00000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: VIETAZ TRADING CO - ITEMS LIST.exe, 00000004.00000002.491690052.0000000001D00000.00000002.00000001.sdmpBinary or memory string: Progmanlock