Loading ...

Play interactive tourEdit tour

Analysis Report Order List.exe

Overview

General Information

Sample Name:Order List.exe
Analysis ID:299291
MD5:e060680debcb01905205d84f8d7d6e3f
SHA1:18874130430779c97791bf109ea83f73a3156a64
SHA256:82b2605b25b8443229154cf16788525e9dab3bdeff6b305792a11c0d5cd8e99f
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Order List.exe (PID: 7140 cmdline: 'C:\Users\user\Desktop\Order List.exe' MD5: E060680DEBCB01905205D84F8D7D6E3F)
    • Order List.exe (PID: 6268 cmdline: C:\Users\user\Desktop\Order List.exe MD5: E060680DEBCB01905205D84F8D7D6E3F)
      • schtasks.exe (PID: 4828 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3F02.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Order List.exe (PID: 4536 cmdline: 'C:\Users\user\Desktop\Order List.exe' 0 MD5: E060680DEBCB01905205D84F8D7D6E3F)
    • Order List.exe (PID: 6224 cmdline: C:\Users\user\Desktop\Order List.exe MD5: E060680DEBCB01905205D84F8D7D6E3F)
    • Order List.exe (PID: 6312 cmdline: C:\Users\user\Desktop\Order List.exe MD5: E060680DEBCB01905205D84F8D7D6E3F)
    • Order List.exe (PID: 6212 cmdline: C:\Users\user\Desktop\Order List.exe MD5: E060680DEBCB01905205D84F8D7D6E3F)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["79.134.225.117:2180", "79.134.225.117", "255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.356595039.00000000045D1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x112b85:$x1: NanoCore.ClientPluginHost
  • 0x1455a5:$x1: NanoCore.ClientPluginHost
  • 0x112bc2:$x2: IClientNetworkHost
  • 0x1455e2:$x2: IClientNetworkHost
  • 0x1166f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x149115:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.356595039.00000000045D1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000002.356595039.00000000045D1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1128ed:$a: NanoCore
    • 0x1128fd:$a: NanoCore
    • 0x112b31:$a: NanoCore
    • 0x112b45:$a: NanoCore
    • 0x112b85:$a: NanoCore
    • 0x14530d:$a: NanoCore
    • 0x14531d:$a: NanoCore
    • 0x145551:$a: NanoCore
    • 0x145565:$a: NanoCore
    • 0x1455a5:$a: NanoCore
    • 0x11294c:$b: ClientPlugin
    • 0x112b4e:$b: ClientPlugin
    • 0x112b8e:$b: ClientPlugin
    • 0x14536c:$b: ClientPlugin
    • 0x14556e:$b: ClientPlugin
    • 0x1455ae:$b: ClientPlugin
    • 0x112a73:$c: ProjectData
    • 0x145493:$c: ProjectData
    • 0x11347a:$d: DESCrypto
    • 0x145e9a:$d: DESCrypto
    • 0x11ae46:$e: KeepAlive
    00000001.00000002.611968289.00000000058B0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000001.00000002.611968289.00000000058B0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 30 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.Order List.exe.58b0000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    1.2.Order List.exe.58b0000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    7.2.Order List.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    7.2.Order List.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    7.2.Order List.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 11 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Order List.exe, ProcessId: 6268, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3F02.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3F02.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Order List.exe, ParentImage: C:\Users\user\Desktop\Order List.exe, ParentProcessId: 6268, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3F02.tmp', ProcessId: 4828

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: Order List.exe.6212.7.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["79.134.225.117:2180", "79.134.225.117", "255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: Order List.exeReversingLabs: Detection: 33%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.356595039.00000000045D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.612186794.0000000005C70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.374369279.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.374394523.00000000043A1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.610077084.0000000003F87000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.605532305.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.368651862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.343855045.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Order List.exe PID: 6268, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Order List.exe PID: 6212, type: MEMORY
      Source: Yara matchFile source: 7.2.Order List.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Order List.exe.5c70000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Order List.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Order List.exe.5c70000.6.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for sampleShow sources
      Source: Order List.exeJoe Sandbox ML: detected
      Source: 7.2.Order List.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 1.2.Order List.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_051822CF
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_051822E0
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h4_2_059A2358
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h4_2_059A2347
      Source: global trafficTCP traffic: 192.168.2.6:49730 -> 79.134.225.117:2180
      Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.117
      Source: Order List.exe, 00000001.00000002.612186794.0000000005C70000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.356595039.00000000045D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.612186794.0000000005C70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.374369279.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.374394523.00000000043A1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.610077084.0000000003F87000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.605532305.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.368651862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.343855045.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Order List.exe PID: 6268, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Order List.exe PID: 6212, type: MEMORY
      Source: Yara matchFile source: 7.2.Order List.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Order List.exe.5c70000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Order List.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Order List.exe.5c70000.6.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000004.00000002.356595039.00000000045D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.356595039.00000000045D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.611968289.00000000058B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.612186794.0000000005C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.374369279.00000000033A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000007.00000002.374394523.00000000043A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.610077084.0000000003F87000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.605532305.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.605532305.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000007.00000002.368651862.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.368651862.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.343855045.0000000003D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.343855045.0000000003D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Order List.exe PID: 6268, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Order List.exe PID: 6268, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Order List.exe PID: 6212, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Order List.exe PID: 6212, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Order List.exe.58b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.Order List.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.Order List.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Order List.exe.5c70000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Order List.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Order List.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Order List.exe.5c70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Order List.exe
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_0529172A NtQuerySystemInformation,1_2_0529172A
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_052916EF NtQuerySystemInformation,1_2_052916EF
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4_2_05990206 NtQuerySystemInformation,4_2_05990206
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4_2_059901D9 NtQuerySystemInformation,4_2_059901D9
      Source: C:\Users\user\Desktop\Order List.exeCode function: 0_2_04EB0E880_2_04EB0E88
      Source: C:\Users\user\Desktop\Order List.exeCode function: 0_2_04EB22260_2_04EB2226
      Source: C:\Users\user\Desktop\Order List.exeCode function: 0_2_04EB35200_2_04EB3520
      Source: C:\Users\user\Desktop\Order List.exeCode function: 0_2_04EB35100_2_04EB3510
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_02A27ABF1_2_02A27ABF
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_0516AF181_2_0516AF18
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_051623A01_2_051623A0
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_05162FA81_2_05162FA8
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_051692B81_2_051692B8
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_051686B81_2_051686B8
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_0516306F1_2_0516306F
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_0516937F1_2_0516937F
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_05169B601_2_05169B60
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4_2_057D0E7B4_2_057D0E7B
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4_2_057D10694_2_057D1069
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4_2_057D22264_2_057D2226
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4_2_057D35204_2_057D3520
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4_2_057D35104_2_057D3510
      Source: C:\Users\user\Desktop\Order List.exeCode function: 7_2_054E2FA87_2_054E2FA8
      Source: C:\Users\user\Desktop\Order List.exeCode function: 7_2_054E23A07_2_054E23A0
      Source: C:\Users\user\Desktop\Order List.exeCode function: 7_2_054E306F7_2_054E306F
      Source: Order List.exe, 00000000.00000002.344597028.0000000003E98000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs Order List.exe
      Source: Order List.exe, 00000000.00000000.337193437.00000000006F6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameK3hU.exe6 vs Order List.exe
      Source: Order List.exe, 00000000.00000002.345236492.0000000004F30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Order List.exe
      Source: Order List.exe, 00000000.00000002.345321889.0000000004F90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs Order List.exe
      Source: Order List.exe, 00000001.00000002.611968289.00000000058B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Order List.exe
      Source: Order List.exe, 00000001.00000002.612186794.0000000005C70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Order List.exe
      Source: Order List.exe, 00000001.00000002.612186794.0000000005C70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Order List.exe
      Source: Order List.exe, 00000001.00000002.605803771.0000000000996000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameK3hU.exe6 vs Order List.exe
      Source: Order List.exe, 00000001.00000002.611382262.0000000005280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Order List.exe
      Source: Order List.exe, 00000001.00000002.612516218.0000000006500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Order List.exe
      Source: Order List.exe, 00000001.00000002.611844992.0000000005850000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Order List.exe
      Source: Order List.exe, 00000001.00000002.606248001.000000000103A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Order List.exe
      Source: Order List.exe, 00000004.00000002.357796855.0000000005850000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Order List.exe
      Source: Order List.exe, 00000004.00000002.357864775.00000000058B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs Order List.exe
      Source: Order List.exe, 00000004.00000002.358309930.0000000005D00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs Order List.exe
      Source: Order List.exe, 00000004.00000000.349097982.0000000000EF6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameK3hU.exe6 vs Order List.exe
      Source: Order List.exe, 00000005.00000002.352180526.0000000000216000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameK3hU.exe6 vs Order List.exe
      Source: Order List.exe, 00000006.00000000.352886557.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameK3hU.exe6 vs Order List.exe
      Source: Order List.exe, 00000007.00000002.374369279.00000000033A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Order List.exe
      Source: Order List.exe, 00000007.00000002.374369279.00000000033A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Order List.exe
      Source: Order List.exe, 00000007.00000002.374613620.0000000005600000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Order List.exe
      Source: Order List.exe, 00000007.00000002.374394523.00000000043A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Order List.exe
      Source: Order List.exe, 00000007.00000002.368982128.0000000000D16000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameK3hU.exe6 vs Order List.exe
      Source: Order List.exeBinary or memory string: OriginalFilenameK3hU.exe6 vs Order List.exe
      Source: 00000004.00000002.356595039.00000000045D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.356595039.00000000045D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.611968289.00000000058B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.611968289.00000000058B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.612186794.0000000005C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.612186794.0000000005C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000007.00000002.374369279.00000000033A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000007.00000002.374394523.00000000043A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.610077084.0000000003F87000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.605532305.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.605532305.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000007.00000002.368651862.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000007.00000002.368651862.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.343855045.0000000003D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.343855045.0000000003D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Order List.exe PID: 6268, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Order List.exe PID: 6268, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Order List.exe PID: 6212, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Order List.exe PID: 6212, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Order List.exe.58b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Order List.exe.58b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 7.2.Order List.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.Order List.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 7.2.Order List.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Order List.exe.5c70000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Order List.exe.5c70000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Order List.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Order List.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Order List.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Order List.exe.5c70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Order List.exe.5c70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: Order List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 1.2.Order List.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 1.2.Order List.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 1.2.Order List.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@13/4@0/1
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_052914EA AdjustTokenPrivileges,1_2_052914EA
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_052914B3 AdjustTokenPrivileges,1_2_052914B3
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4_2_0190BD7A AdjustTokenPrivileges,4_2_0190BD7A
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4_2_0190BD43 AdjustTokenPrivileges,4_2_0190BD43
      Source: C:\Users\user\Desktop\Order List.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Order List.exe.logJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{95c86e36-934d-4822-aa79-e79b9452956c}
      Source: C:\Users\user\Desktop\Order List.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4628:120:WilError_01
      Source: C:\Users\user\Desktop\Order List.exeMutant created: \Sessions\1\BaseNamedObjects\sWJAhLkJxmcfkJuw
      Source: C:\Users\user\Desktop\Order List.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3F02.tmpJump to behavior
      Source: Order List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Order List.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Order List.exeReversingLabs: Detection: 33%
      Source: C:\Users\user\Desktop\Order List.exeFile read: C:\Users\user\Desktop\Order List.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Order List.exe 'C:\Users\user\Desktop\Order List.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Order List.exe C:\Users\user\Desktop\Order List.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3F02.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\Order List.exe 'C:\Users\user\Desktop\Order List.exe' 0
      Source: unknownProcess created: C:\Users\user\Desktop\Order List.exe C:\Users\user\Desktop\Order List.exe
      Source: unknownProcess created: C:\Users\user\Desktop\Order List.exe C:\Users\user\Desktop\Order List.exe
      Source: unknownProcess created: C:\Users\user\Desktop\Order List.exe C:\Users\user\Desktop\Order List.exe
      Source: C:\Users\user\Desktop\Order List.exeProcess created: C:\Users\user\Desktop\Order List.exe C:\Users\user\Desktop\Order List.exeJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3F02.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess created: C:\Users\user\Desktop\Order List.exe C:\Users\user\Desktop\Order List.exeJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess created: C:\Users\user\Desktop\Order List.exe C:\Users\user\Desktop\Order List.exeJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess created: C:\Users\user\Desktop\Order List.exe C:\Users\user\Desktop\Order List.exeJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\Order List.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: Order List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\Order List.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: Order List.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: mscorrc.pdb source: Order List.exe, 00000000.00000002.345236492.0000000004F30000.00000002.00000001.sdmp, Order List.exe, 00000001.00000002.611844992.0000000005850000.00000002.00000001.sdmp, Order List.exe, 00000004.00000002.357796855.0000000005850000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: Order List.exe, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.Order List.exe.660000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.2.Order List.exe.660000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.2.Order List.exe.900000.1.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.0.Order List.exe.900000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.2.Order List.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.2.Order List.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.0.Order List.exe.e60000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.2.Order List.exe.e60000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 5.0.Order List.exe.180000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 5.2.Order List.exe.180000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.Order List.exe.380000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.0.Order List.exe.380000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\Order List.exeCode function: 0_2_04EB715A push cs; retf 0_2_04EB715D
      Source: C:\Users\user\Desktop\Order List.exeCode function: 0_2_04EB6D57 push cs; iretd 0_2_04EB6D5D
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_02A274AC push ecx; ret 1_2_02A274AD
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_02A274B8 push ebp; ret 1_2_02A274B9
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_02A2AB63 push cs; retf 1_2_02A2AB7B
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_02A2AAF1 push cs; retf 1_2_02A2AB07
      Source: C:\Users\user\Desktop\Order List.exeCode function: 1_2_02A2ABD7 push cs; retf 1_2_02A2ABEF
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4_2_057D715A push cs; retf 4_2_057D715D
      Source: C:\Users\user\Desktop\Order List.exeCode function: 4_2_057D6D57 push cs; iretd 4_2_057D6D5D
      Source: initial sampleStatic PE information: section name: .text entropy: 7.68350513975
      Source: 1.2.Order List.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 1.2.Order List.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3F02.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\Order List.exeFile opened: C:\Users\user\Desktop\Order List.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Order List.exeProcess information set: NOOPENFILEERRORBOX