Loading ...

Play interactive tourEdit tour

Analysis Report shipping order#.scr

Overview

General Information

Sample Name:shipping order#.scr (renamed file extension from scr to exe)
Analysis ID:337536
MD5:a916070df947a28ea73074c080189d35
SHA1:2c4215352fecfbd74b596f1125177f54cd010a4b
SHA256:b657538bf8bc1aca7ca8e7e02f1c5a39cbc8bc343bf7c5ebfe026f6dcc02fe32
Tags:DEUEndurancegeoNanoCorenVpnRATscr

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Powershell adding suspicious path to exclusion list
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w10x64
  • shipping order#.exe (PID: 5884 cmdline: 'C:\Users\user\Desktop\shipping order#.exe' MD5: A916070DF947A28EA73074C080189D35)
    • powershell.exe (PID: 5796 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5128 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4944 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6836 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6996 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6948 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 2460 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5136 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 4176 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7124 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • shipping order#.exe (PID: 6648 cmdline: C:\Users\user\Desktop\shipping order#.exe MD5: A916070DF947A28EA73074C080189D35)
    • WerFault.exe (PID: 5824 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 2396 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • shipping order#.exe (PID: 5812 cmdline: 'C:\Users\user\Desktop\shipping order#.exe' MD5: A916070DF947A28EA73074C080189D35)
    • powershell.exe (PID: 1836 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2848 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6880 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • shipping order#.exe (PID: 6440 cmdline: 'C:\Users\user\Desktop\shipping order#.exe' MD5: A916070DF947A28EA73074C080189D35)
  • shipping order#.exe (PID: 6476 cmdline: 'C:\Users\user\Desktop\shipping order#.exe' MD5: A916070DF947A28EA73074C080189D35)
  • shipping order#.exe (PID: 408 cmdline: 'C:\Users\user\Desktop\shipping order#.exe' MD5: A916070DF947A28EA73074C080189D35)
  • shipping order#.exe (PID: 5700 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' MD5: A916070DF947A28EA73074C080189D35)
  • dhcpmon.exe (PID: 5392 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: A916070DF947A28EA73074C080189D35)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    Process Memory Space: shipping order#.exe PID: 6648Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x151827:$x1: NanoCore.ClientPluginHost
    • 0x151888:$x2: IClientNetworkHost
    • 0x156c8d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x164bff:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Process Memory Space: shipping order#.exe PID: 6648JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 1 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      22.2.shipping order#.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      22.2.shipping order#.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      22.2.shipping order#.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        22.2.shipping order#.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\shipping order#.exe, ProcessId: 6648, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Powershell adding suspicious path to exclusion listShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\shipping order#.exe' , ParentImage: C:\Users\user\Desktop\shipping order#.exe, ParentProcessId: 5884, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force, ProcessId: 5796

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 29%
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeReversingLabs: Detection: 29%
        Multi AV Scanner detection for submitted fileShow sources
        Source: shipping order#.exeReversingLabs: Detection: 29%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: shipping order#.exeJoe Sandbox ML: detected
        Source: shipping order#.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.4:49728 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49772 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49784 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.4:49785 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49787 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.4:49793 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49798 version: TLS 1.0
        Source: shipping order#.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: anagement.pdb source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000001B.00000003.827603731.000000000581E000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001B.00000003.736586979.00000000053A3000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: shipping order#.exe, 0000000F.00000002.976593035.0000000000D40000.00000004.00000001.sdmp
        Source: Binary string: shipping order#.PDBF source: shipping order#.exe, 0000001E.00000002.1032422385.0000000000EF8000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: wbemcomn.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: shipping order#.PDB/ source: shipping order#.exe, 0000000F.00000002.924816243.0000000000958000.00000004.00000010.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbe source: dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmp
        Source: Binary string: System.Configuration.pdbn source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ml.pdb source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: schannel.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb6 source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001B.00000003.741556001.00000000033D4000.00000004.00000001.sdmp
        Source: Binary string: anagement.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001B.00000003.832475642.000000000568C000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb} source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.pdb"( source: WerFault.exe, 0000001B.00000003.833985645.0000000005661000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb@ source: WerFault.exe, 0000001B.00000003.832475642.000000000568C000.00000004.00000001.sdmp
        Source: Binary string: wbemsvc.pdb" source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbO source: shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: shipping order#.exe, 0000000F.00000002.976593035.0000000000D40000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: clrjit.pdbC source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: ntmarta.pdbr source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdb* source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: w.pdb source: shipping order#.exe, 0000000F.00000002.924816243.0000000000958000.00000004.00000010.sdmp, shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdb| source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbs"D source: shipping order#.exe, 0000000F.00000002.976593035.0000000000D40000.00000004.00000001.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000001B.00000003.832475642.000000000568C000.00000004.00000001.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Management.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001B.00000003.737137005.00000000033CE000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.ni.pdbf source: WerFault.exe, 0000001B.00000003.832475642.000000000568C000.00000004.00000001.sdmp
        Source: Binary string: iertutil.pdb, source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: secur32.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: cryptsp.pdbe source: WerFault.exe, 0000001B.00000003.829277162.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: rasadhlp.pdb: source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdb@ source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb0 source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\Desktop\shipping order#.PDB8 source: shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdbE source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.PDB source: shipping order#.exe, 0000001E.00000002.1032422385.0000000000EF8000.00000004.00000001.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdbE source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Management.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: shipping order#.exe, 00000000.00000002.1019645820.0000000001686000.00000004.00000020.sdmp, dhcpmon.exe, 00000022.00000002.1032681111.0000000001432000.00000004.00000020.sdmp
        Source: Binary string: shell32.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: ntasn1.pdbd source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ncryptsslp.pdbZ source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: ic.pdb source: shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000001B.00000003.827603731.000000000581E000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdbn source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wmiutils.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.pdbw source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: indows.Forms.pdb"" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001B.00000003.736910312.00000000033C3000.00000004.00000001.sdmp
        Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000001B.00000003.833597720.000000000568D000.00000004.00000001.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: fastprox.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: shipping order#.exe, 00000000.00000002.1019584885.0000000001621000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmp
        Source: Binary string: wbemsvc.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: (PWoLC:\Windows\Microsoft.VisualBasic.pdb source: shipping order#.exe, 00000000.00000002.981736046.00000000012F8000.00000004.00000001.sdmp, shipping order#.exe, 0000000F.00000002.924816243.0000000000958000.00000004.00000010.sdmp, shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbE%l source: shipping order#.exe, 0000000F.00000002.976593035.0000000000D40000.00000004.00000001.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\user\Desktop\shipping order#.PDB source: shipping order#.exe, 0000000F.00000002.924816243.0000000000958000.00000004.00000010.sdmp
        Source: Binary string: System.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: shipping order#.exe, 00000000.00000002.1019645820.0000000001686000.00000004.00000020.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb@ source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: rtutils.pdbh source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: shipping order#.PDB source: shipping order#.exe, 00000000.00000002.981736046.00000000012F8000.00000004.00000001.sdmp, shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000001B.00000003.827603731.000000000581E000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: cldapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001B.00000003.741556001.00000000033D4000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\Desktop\shipping order#.PDBX source: shipping order#.exe, 00000000.00000002.981736046.00000000012F8000.00000004.00000001.sdmp
        Source: Binary string: combase.pdbk source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: ml.pdb9 source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: wbemprox.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: edputil.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp

        Networking:

        barindex
        Connects to a pastebin service (likely for C&C)Show sources
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: global trafficTCP traffic: 192.168.2.4:49739 -> 194.5.97.173:10004
        Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
        Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.4:49728 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49772 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49784 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.4:49785 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49787 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.4:49793 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49798 version: TLS 1.0
        Source: unknownDNS traffic detected: queries for: pastebin.com
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: powershell.exe, 00000025.00000003.844054876.0000000007D63000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsi7
        Source: powershell.exe, 00000001.00000003.785389643.0000000003543000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: powershell.exe, 00000025.00000003.844054876.0000000007D63000.00000004.00000001.sdmpString found in binary or memory: http://logo.vGs
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
        Source: shipping order#.exe, 00000000.00000003.657555811.00000000033E8000.00000004.00000001.sdmp, shipping order#.exe, 0000000F.00000003.813659881.00000000029D4000.00000004.00000001.sdmp, shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
        Source: powershell.exe, 00000003.00000003.881997379.0000000004F9E000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000004.00000003.945556965.0000000005233000.00000004.00000001.sdmpString found in binary or memory: https://go.microd
        Source: shipping order#.exe, 00000015.00000003.1039301625.00000000032B4000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/W63zsRav
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
        Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
        Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
        Source: shipping order#.exe, 00000000.00000002.1019414297.00000000015BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: shipping order#.exe
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_01945E88 NtSetInformationThread,0_2_01945E88
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0194D02A NtSetInformationThread,0_2_0194D02A
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_018EF0B80_2_018EF0B8
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_018E00400_2_018E0040
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_018EF9880_2_018EF988
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_018EED700_2_018EED70
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_019432C00_2_019432C0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335A2000_2_0335A200
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335EDC80_2_0335EDC8
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033582F00_2_033582F0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03358AF00_2_03358AF0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033579B10_2_033579B1
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335A1EF0_2_0335A1EF
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033570730_2_03357073
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335707B0_2_0335707B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033570530_2_03357053
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335705B0_2_0335705B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033510B00_2_033510B0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033570B30_2_033570B3
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033570BB0_2_033570BB
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033550BA0_2_033550BA
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335709B0_2_0335709B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033530F00_2_033530F0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F330_2_03356F33
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F3B0_2_03356F3B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F130_2_03356F13
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F1B0_2_03356F1B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03358F700_2_03358F70
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F7B0_2_03356F7B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F5B0_2_03356F5B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033577B10_2_033577B1
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03357FB10_2_03357FB1
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F9B0_2_03356F9B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033506300_2_03350630
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03358EB00_2_03358EB0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356EF30_2_03356EF3
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356EFB0_2_03356EFB
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356ED00_2_03356ED0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033575300_2_03357530
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03353D700_2_03353D70
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03358D500_2_03358D50
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356C7E0_2_03356C7E
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356C690_2_03356C69
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03358CB00_2_03358CB0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356C9E0_2_03356C9E
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033561100_2_03356110
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356C490_2_03356C49
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033558F00_2_033558F0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F7DAE01_2_02F7DAE0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F707C01_2_02F707C0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F7A5D81_2_02F7A5D8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F75A081_2_02F75A08
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F7AB401_2_02F7AB40
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F7A0781_2_02F7A078
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F751E01_2_02F751E0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0034BA783_2_0034BA78
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0034DDA83_2_0034DDA8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0034F6103_2_0034F610
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02F0A3D07_2_02F0A3D0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02F08B687_2_02F08B68
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02F068387_2_02F06838
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02F284B87_2_02F284B8
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 2396
        Source: shipping order#.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: shipping order#.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.22.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: shipping order#.exe, 00000000.00000002.1019414297.00000000015BA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs shipping order#.exe
        Source: shipping order#.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.shipping order#.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 22.2.shipping order#.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 22.2.shipping order#.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: shipping order#.exe, 00000000.00000002.1019645820.0000000001686000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
        Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@58/24@27/4
        Source: C:\Users\user\Desktop\shipping order#.exeFile created: C:\Program Files (x86)\DHCP Monitor
        Source: C:\Users\user\Desktop\shipping order#.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_01
        Source: C:\Users\user\Desktop\shipping order#.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{db5d3893-53a7-40c5-9e07-c472ba23289f}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5884
        Source: C:\Users\user\Desktop\shipping order#.exeFile created: C:\Users\user\AppData\Local\Temp\50bacdd5-1381-4848-995e-cb76453c6468Jump to behavior
        Source: shipping order#.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order#.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Users\user\Desktop\shipping order#.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: shipping order#.exeReversingLabs: Detection: 29%
        Source: C:\Users\user\Desktop\shipping order#.exeFile read: C:\Users\user\Desktop\shipping order#.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order#.exe 'C:\Users\user\Desktop\shipping order#.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order#.exe 'C:\Users\user\Desktop\shipping order#.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order#.exe 'C:\Users\user\Desktop\shipping order#.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order#.exe C:\Users\user\Desktop\shipping order#.exe
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order#.exe 'C:\Users\user\Desktop\shipping order#.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 2396
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order#.exe 'C:\Users\user\Desktop\shipping order#.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe'
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order#.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Users\user\Desktop\shipping order#.exe C:\Users\user\Desktop\shipping order#.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\shipping order#.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: shipping order#.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: shipping order#.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: shipping order#.exeStatic file information: File size 2818048 > 1048576
        Source: shipping order#.exe