Loading ...

Play interactive tourEdit tour

Analysis Report Order List 2.exe

Overview

General Information

Sample Name:Order List 2.exe
Analysis ID:298888
MD5:ad070f262a775545f0678e02b4b60b14
SHA1:2f205df9de36065d5093cbed0ad09e6883a8415d
SHA256:b73d9ca871a542e64db5bf55485a94f47ef2ac2a4ea3cdb388588d11f173b93e
Tags:exeNanoCorenVpnRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Order List 2.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\Order List 2.exe' MD5: AD070F262A775545F0678E02B4B60B14)
    • Order List 2.exe (PID: 7128 cmdline: C:\Users\user\Desktop\Order List 2.exe MD5: AD070F262A775545F0678E02B4B60B14)
      • schtasks.exe (PID: 2944 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5CA6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 3908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Order List 2.exe (PID: 4704 cmdline: 'C:\Users\user\Desktop\Order List 2.exe' 0 MD5: AD070F262A775545F0678E02B4B60B14)
    • Order List 2.exe (PID: 1212 cmdline: C:\Users\user\Desktop\Order List 2.exe MD5: AD070F262A775545F0678E02B4B60B14)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["79.134.225.117"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.616188781.0000000005060000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000001.00000002.616188781.0000000005060000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000001.00000002.616188781.0000000005060000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.614100279.0000000003799000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000001.00000002.614100279.0000000003799000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x3585:$a: NanoCore
      • 0x35de:$a: NanoCore
      • 0x361b:$a: NanoCore
      • 0x3694:$a: NanoCore
      • 0x16d3f:$a: NanoCore
      • 0x16d54:$a: NanoCore
      • 0x16d89:$a: NanoCore
      • 0x2fd0b:$a: NanoCore
      • 0x2fd20:$a: NanoCore
      • 0x2fd55:$a: NanoCore
      • 0x35e7:$b: ClientPlugin
      • 0x3624:$b: ClientPlugin
      • 0x3f22:$b: ClientPlugin
      • 0x3f2f:$b: ClientPlugin
      • 0x16afb:$b: ClientPlugin
      • 0x16b16:$b: ClientPlugin
      • 0x16b46:$b: ClientPlugin
      • 0x16d5d:$b: ClientPlugin
      • 0x16d92:$b: ClientPlugin
      • 0x2fac7:$b: ClientPlugin
      • 0x2fae2:$b: ClientPlugin
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Order List 2.exe.4eb0000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      1.2.Order List 2.exe.4eb0000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      1.2.Order List 2.exe.5060000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      1.2.Order List 2.exe.5060000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      1.2.Order List 2.exe.5060000.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 11 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Order List 2.exe, ProcessId: 7128, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5CA6.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5CA6.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Order List 2.exe, ParentImage: C:\Users\user\Desktop\Order List 2.exe, ParentProcessId: 7128, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5CA6.tmp', ProcessId: 2944

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: Order List 2.exe.7128.1.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["79.134.225.117"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: Order List 2.exeReversingLabs: Detection: 31%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.616188781.0000000005060000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.614100279.0000000003799000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.394833324.0000000003D99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.392825203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.381090020.0000000004396000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.351804553.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.609003056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.394714929.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Order List 2.exe PID: 7128, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Order List 2.exe PID: 1212, type: MEMORY
        Source: Yara matchFile source: 1.2.Order List 2.exe.5060000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Order List 2.exe.5060000.4.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: Order List 2.exeJoe Sandbox ML: detected
        Source: 1.2.Order List 2.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.2.Order List 2.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]4_2_011241E4
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]4_2_01127D08
        Source: global trafficTCP traffic: 192.168.2.6:49734 -> 79.134.225.117:2180
        Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
        Source: Order List 2.exe, 00000000.00000002.350696571.000000000312A000.00000004.00000001.sdmp, Order List 2.exe, 00000004.00000002.379996920.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Order List 2.exe, 00000001.00000002.614100279.0000000003799000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.616188781.0000000005060000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.614100279.0000000003799000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.394833324.0000000003D99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.392825203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.381090020.0000000004396000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.351804553.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.609003056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.394714929.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Order List 2.exe PID: 7128, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Order List 2.exe PID: 1212, type: MEMORY
        Source: Yara matchFile source: 1.2.Order List 2.exe.5060000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Order List 2.exe.5060000.4.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.616188781.0000000005060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.614100279.0000000003799000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.394833324.0000000003D99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.616059221.0000000004EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.392825203.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.392825203.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.381090020.0000000004396000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.381090020.0000000004396000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.351804553.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.351804553.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.609003056.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.609003056.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.394714929.0000000002D91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Order List 2.exe PID: 7128, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Order List 2.exe PID: 7128, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Order List 2.exe PID: 1212, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Order List 2.exe PID: 1212, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Order List 2.exe.4eb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Order List 2.exe.5060000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Order List 2.exe.5060000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Order List 2.exe
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B02EC NtQueryInformationProcess,0_2_017B02EC
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B84B9 NtQueryInformationProcess,0_2_017B84B9
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010502EC NtQueryInformationProcess,4_2_010502EC
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010502E5 NtQueryInformationProcess,4_2_010502E5
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010584B9 NtQueryInformationProcess,4_2_010584B9
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B21790_2_017B2179
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017BF1C00_2_017BF1C0
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B10380_2_017B1038
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B85D80_2_017B85D8
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B04D00_2_017B04D0
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B17C90_2_017B17C9
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B51780_2_017B5178
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B51680_2_017B5168
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B53710_2_017B5371
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B53800_2_017B5380
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B85C90_2_017B85C9
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B56300_2_017B5630
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B56210_2_017B5621
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B58010_2_017B5801
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B4AD00_2_017B4AD0
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B4AC10_2_017B4AC1
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B4DC10_2_017B4DC1
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B1C490_2_017B1C49
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B3F400_2_017B3F40
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B3F300_2_017B3F30
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B0FB80_2_017B0FB8
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_084D09290_2_084D0929
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_084D09380_2_084D0938
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_084D3D400_2_084D3D40
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_084D3D500_2_084D3D50
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_084D3FA00_2_084D3FA0
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_084D3FB00_2_084D3FB0
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_084DF5980_2_084DF598
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_091059080_2_09105908
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_091000400_2_09100040
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_091064C80_2_091064C8
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_091000110_2_09100011
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_091058F90_2_091058F9
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 1_2_04C7E4801_2_04C7E480
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 1_2_04C7E4711_2_04C7E471
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 1_2_04C7BBD41_2_04C7BBD4
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 1_2_061E00401_2_061E0040
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010521794_2_01052179
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_0105F1C04_2_0105F1C0
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010510384_2_01051038
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010585D84_2_010585D8
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010504D04_2_010504D0
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010517C94_2_010517C9
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010551684_2_01055168
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010551784_2_01055178
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010553724_2_01055372
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010553804_2_01055380
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010585C94_2_010585C9
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010556214_2_01055621
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010556304_2_01055630
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010558014_2_01055801
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_01054AC14_2_01054AC1
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_01054AD04_2_01054AD0
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_01054DC14_2_01054DC1
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_01051C494_2_01051C49
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_01053F304_2_01053F30
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_01053F404_2_01053F40
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_01050FA04_2_01050FA0
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_0112CDBD4_2_0112CDBD
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_01122A604_2_01122A60
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_011253F04_2_011253F0
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_088F00404_2_088F0040
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_088F59804_2_088F5980
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_088F65114_2_088F6511
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_088F00114_2_088F0011
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_088F59714_2_088F5971
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 5_2_0128E4715_2_0128E471
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 5_2_0128E4805_2_0128E480
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 5_2_0128BBD45_2_0128BBD4
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 5_2_052AF5F85_2_052AF5F8
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 5_2_052AA5F85_2_052AA5F8
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 5_2_052A97885_2_052A9788
        Source: Order List 2.exeBinary or memory string: OriginalFilename vs Order List 2.exe
        Source: Order List 2.exe, 00000000.00000002.356953797.0000000008F30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs Order List 2.exe
        Source: Order List 2.exe, 00000000.00000002.349649257.0000000000E08000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamel6DM.exeX vs Order List 2.exe
        Source: Order List 2.exe, 00000000.00000002.350696571.000000000312A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs Order List 2.exe
        Source: Order List 2.exeBinary or memory string: OriginalFilename vs Order List 2.exe
        Source: Order List 2.exe, 00000001.00000002.614100279.0000000003799000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Order List 2.exe
        Source: Order List 2.exe, 00000001.00000002.614100279.0000000003799000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Order List 2.exe
        Source: Order List 2.exe, 00000001.00000002.614100279.0000000003799000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Order List 2.exe
        Source: Order List 2.exe, 00000001.00000002.609175607.0000000000472000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamel6DM.exeX vs Order List 2.exe
        Source: Order List 2.exe, 00000001.00000002.616974648.00000000066B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Order List 2.exe
        Source: Order List 2.exe, 00000001.00000002.616558768.0000000005D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Order List 2.exe
        Source: Order List 2.exeBinary or memory string: OriginalFilename vs Order List 2.exe
        Source: Order List 2.exe, 00000004.00000002.380102619.0000000002A0A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs Order List 2.exe
        Source: Order List 2.exe, 00000004.00000002.377800978.00000000006F8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamel6DM.exeX vs Order List 2.exe
        Source: Order List 2.exe, 00000004.00000002.386099517.0000000008840000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs Order List 2.exe
        Source: Order List 2.exeBinary or memory string: OriginalFilename vs Order List 2.exe
        Source: Order List 2.exe, 00000005.00000002.394833324.0000000003D99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Order List 2.exe
        Source: Order List 2.exe, 00000005.00000002.394833324.0000000003D99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Order List 2.exe
        Source: Order List 2.exe, 00000005.00000002.394833324.0000000003D99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Order List 2.exe
        Source: Order List 2.exe, 00000005.00000000.370952933.0000000000982000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamel6DM.exeX vs Order List 2.exe
        Source: Order List 2.exe, 00000005.00000002.396176573.0000000005300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Order List 2.exe
        Source: Order List 2.exeBinary or memory string: OriginalFilenamel6DM.exeX vs Order List 2.exe
        Source: 00000001.00000002.616188781.0000000005060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.616188781.0000000005060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.614100279.0000000003799000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.394833324.0000000003D99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.616059221.0000000004EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.616059221.0000000004EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000005.00000002.392825203.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.392825203.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.381090020.0000000004396000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.381090020.0000000004396000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.351804553.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.351804553.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.609003056.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.609003056.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.394714929.0000000002D91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Order List 2.exe PID: 7128, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Order List 2.exe PID: 7128, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Order List 2.exe PID: 1212, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Order List 2.exe PID: 1212, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Order List 2.exe.4eb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Order List 2.exe.4eb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Order List 2.exe.5060000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Order List 2.exe.5060000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.Order List 2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Order List 2.exe.5060000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Order List 2.exe.5060000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Order List 2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 1.2.Order List 2.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.Order List 2.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.Order List 2.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.2.Order List 2.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.2.Order List 2.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.2.Order List 2.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.2.Order List 2.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.2.Order List 2.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 1.2.Order List 2.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.Order List 2.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@0/1
        Source: C:\Users\user\Desktop\Order List 2.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order List 2.exe.logJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{95c86e36-934d-4822-aa79-e79b9452956c}
        Source: C:\Users\user\Desktop\Order List 2.exeMutant created: \Sessions\1\BaseNamedObjects\csxXGL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3908:120:WilError_01
        Source: C:\Users\user\Desktop\Order List 2.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5CA6.tmpJump to behavior
        Source: Order List 2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Order List 2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Order List 2.exeReversingLabs: Detection: 31%
        Source: C:\Users\user\Desktop\Order List 2.exeFile read: C:\Users\user\Desktop\Order List 2.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Order List 2.exe 'C:\Users\user\Desktop\Order List 2.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\Order List 2.exe C:\Users\user\Desktop\Order List 2.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5CA6.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Order List 2.exe 'C:\Users\user\Desktop\Order List 2.exe' 0
        Source: unknownProcess created: C:\Users\user\Desktop\Order List 2.exe C:\Users\user\Desktop\Order List 2.exe
        Source: C:\Users\user\Desktop\Order List 2.exeProcess created: C:\Users\user\Desktop\Order List 2.exe C:\Users\user\Desktop\Order List 2.exeJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5CA6.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess created: C:\Users\user\Desktop\Order List 2.exe C:\Users\user\Desktop\Order List 2.exeJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Order List 2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Order List 2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\Order List 2.exeUnpacked PE file: 0.2.Order List 2.exe.d70000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
        Source: C:\Users\user\Desktop\Order List 2.exeUnpacked PE file: 4.2.Order List 2.exe.660000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\Order List 2.exeUnpacked PE file: 0.2.Order List 2.exe.d70000.0.unpack
        Source: C:\Users\user\Desktop\Order List 2.exeUnpacked PE file: 4.2.Order List 2.exe.660000.0.unpack
        .NET source code contains potential unpackerShow sources
        Source: 1.2.Order List 2.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.Order List 2.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.Order List 2.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.Order List 2.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_00DE079B push ebx; retf 0_2_00DE079D
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_00DE046F push esi; iretd 0_2_00DE0473
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_00DDFE18 pushad ; iretd 0_2_00DDFE6B
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B7004 push esi; iretd 0_2_017B7006
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_017B76C4 push ebx; retf 0_2_017B76C6
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_084D6DE8 push esp; ret 0_2_084D6DE9
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 0_2_084D61E6 push esi; iretd 0_2_084D61E7
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 1_2_004E046F push esi; iretd 1_2_004E0473
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 1_2_004DFE18 pushad ; iretd 1_2_004DFE6B
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 1_2_004E079B push ebx; retf 1_2_004E079D
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_006D046F push esi; iretd 4_2_006D0473
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_006CFE18 pushad ; iretd 4_2_006CFE6B
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_006D079B push ebx; retf 4_2_006D079D
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_01057004 push esi; iretd 4_2_01057006
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 4_2_010576C4 push ebx; retf 4_2_010576C6
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 5_2_009F079B push ebx; retf 5_2_009F079D
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 5_2_009EFE18 pushad ; iretd 5_2_009EFE6B
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 5_2_009F046F push esi; iretd 5_2_009F0473
        Source: C:\Users\user\Desktop\Order List 2.exeCode function: 5_2_052A69F8 pushad ; retf 5_2_052A69F9
        Source: initial sampleStatic PE information: section name: .text entropy: 7.78613400332
        Source: 1.2.Order List 2.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.Order List 2.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.2.Order List 2.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.2.Order List 2.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5CA6.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Order List 2.exeFile opened: C:\Users\user\Desktop\Order List 2.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order List 2.exeProcess inform