Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Order list 20.1.2021 07u9Uxttb5ltGU.exe

Overview

General Information

Sample Name:Order list 20.1.2021 07u9Uxttb5ltGU.exe
Analysis ID:341280
MD5:8935c408c5650172e350acb92e7cc659
SHA1:69fbb8236dc958388bdaf65b986894365d6dae6b
SHA256:5fc84f25b331a01c87e4f7652a396a83403c0efc27cefeec6cea69b954a01040
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Order list 20.1.2021 07u9Uxttb5ltGU.exe (PID: 6148 cmdline: 'C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe' MD5: 8935C408C5650172E350ACB92E7CC659)
    • schtasks.exe (PID: 6124 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x365ee5:$x1: NanoCore.ClientPluginHost
    • 0x398705:$x1: NanoCore.ClientPluginHost
    • 0x365f22:$x2: IClientNetworkHost
    • 0x398742:$x2: IClientNetworkHost
    • 0x369a55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x39c275:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x365c4d:$a: NanoCore
      • 0x365c5d:$a: NanoCore
      • 0x365e91:$a: NanoCore
      • 0x365ea5:$a: NanoCore
      • 0x365ee5:$a: NanoCore
      • 0x39846d:$a: NanoCore
      • 0x39847d:$a: NanoCore
      • 0x3986b1:$a: NanoCore
      • 0x3986c5:$a: NanoCore
      • 0x398705:$a: NanoCore
      • 0x365cac:$b: ClientPlugin
      • 0x365eae:$b: ClientPlugin
      • 0x365eee:$b: ClientPlugin
      • 0x3984cc:$b: ClientPlugin
      • 0x3986ce:$b: ClientPlugin
      • 0x39870e:$b: ClientPlugin
      • 0x20509e:$c: ProjectData
      • 0x2700be:$c: ProjectData
      • 0x365dd3:$c: ProjectData
      • 0x3985f3:$c: ProjectData
      • 0x3667da:$d: DESCrypto
      Process Memory Space: Order list 20.1.2021 07u9Uxttb5ltGU.exe PID: 6148JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe, ProcessId: 5040, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe' , ParentImage: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe, ParentProcessId: 6148, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp', ProcessId: 6124

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for domain / URLShow sources
        Source: cool.gotdns.chVirustotal: Detection: 8%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\gIZSEI.exeReversingLabs: Detection: 13%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeReversingLabs: Detection: 13%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY

        Compliance:

        barindex
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeUnpacked PE file: 1.2.Order list 20.1.2021 07u9Uxttb5ltGU.exe.f0000.0.unpack
        Uses 32bit PE filesShow sources
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49721 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49722 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49725 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49728 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49729 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49730 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49738 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49753 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49754 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49755 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49756 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49757 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49764 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49781 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49782 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 185.19.85.136:7451
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 185.19.85.136:7451
        Source: global trafficTCP traffic: 192.168.2.4:49721 -> 185.19.85.136:7451
        Source: Joe Sandbox ViewIP Address: 185.19.85.136 185.19.85.136
        Source: Joe Sandbox ViewASN Name: DATAWIRE-ASCH DATAWIRE-ASCH
        Source: unknownDNS traffic detected: queries for: cool.gotdns.ch
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet.xsd

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02552260
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02553160
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02550480
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02551810
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02550FA0
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02552250
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02551243
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02551248
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02555278
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02555268
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_0255305F
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02554011
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02554020
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_025530C6
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_025556F8
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_025556E8
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02550470
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02555470
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02555480
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02551808
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02555918
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02555928
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02550EFF
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_07DFDF90
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_07DFD670
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_07DF62D0
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_07DF62C0
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_07DF02BD
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_07DF0040
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_07DF001D
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: gIZSEI.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeBinary or memory string: OriginalFilename vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668577002.0000000008570000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668577002.0000000008570000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000000.647808282.00000000000F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIResourceGroveler.exeD vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668411012.0000000008470000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668122449.0000000007C80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000004.00000003.672084955.0000000001002000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000004.00000000.658830993.00000000006C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIResourceGroveler.exeD vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeBinary or memory string: OriginalFilenameIResourceGroveler.exeD vs Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@26/2
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeFile created: C:\Users\user\AppData\Roaming\gIZSEI.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_01
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeMutant created: \Sessions\1\BaseNamedObjects\nDnmOR
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{47128c17-dc06-470e-8718-2173a7e3bbbd}
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE60F.tmpJump to behavior
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeReversingLabs: Detection: 13%
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeFile read: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe 'C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess created: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeStatic file information: File size 1741312 > 1048576
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x18be00
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeUnpacked PE file: 1.2.Order list 20.1.2021 07u9Uxttb5ltGU.exe.f0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeUnpacked PE file: 1.2.Order list 20.1.2021 07u9Uxttb5ltGU.exe.f0000.0.unpack
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_000F3C1E push edx; retf
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_000F3332 pushad ; ret
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02556393 push edx; retf
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeCode function: 1_2_02557B32 push dword ptr [edi+65h]; retf
        Source: initial sampleStatic PE information: section name: .text entropy: 7.07883915605
        Source: initial sampleStatic PE information: section name: .text entropy: 7.07883915605
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeFile created: C:\Users\user\AppData\Roaming\gIZSEI.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeFile opened: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Order list 20.1.2021 07u9Uxttb5ltGU.exe PID: 6148, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWindow / User API: threadDelayed 1914
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWindow / User API: threadDelayed 7527
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWindow / User API: foregroundWindowGot 635
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWindow / User API: foregroundWindowGot 756
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe TID: 6168Thread sleep time: -49582s >= -30000s
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe TID: 1584Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe TID: 4240Thread sleep time: -6456360425798339s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668122449.0000000007C80000.00000004.00000001.sdmpBinary or memory string: TQiQemUI.resources
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.668122449.0000000007C80000.00000004.00000001.sdmpBinary or memory string: TQiQemUI@
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeMemory written: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeProcess created: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeQueries volume information: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe VolumeInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeQueries volume information: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe VolumeInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Order list 20.1.2021 07u9Uxttb5ltGU.exe, 00000004.00000003.672084955.0000000001002000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection111Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing21DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Order list 20.1.2021 07u9Uxttb5ltGU.exe14%ReversingLabsWin32.Trojan.Generic

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\gIZSEI.exe14%ReversingLabsWin32.Trojan.Generic

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        1.2.Order list 20.1.2021 07u9Uxttb5ltGU.exe.f0000.0.unpack100%AviraHEUR/AGEN.1134873Download File

        Domains

        SourceDetectionScannerLabelLink
        cool.gotdns.ch8%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://tempuri.org/DataSet.xsd0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        cool.gotdns.ch
        		185.19.85.136
        		truetrueunknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOrder list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmpfalse
          		high
          http://tempuri.org/DataSet.xsdOrder list 20.1.2021 07u9Uxttb5ltGU.exe, 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          185.19.85.136
          		unknownSwitzerland
          		48971DATAWIRE-ASCHtrue

          Private

          IP
          192.168.2.1

          General Information

          Joe Sandbox Version:31.0.0 Red Diamond
          Analysis ID:341280
          Start date:19.01.2021
          Start time:07:49:49
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 7m 26s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:Order list 20.1.2021 07u9Uxttb5ltGU.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:19
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@6/8@26/2
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 2.3% (good quality ratio 1%)
          • Quality average: 32%
          • Quality standard deviation: 39%
          HCA Information:
          • Successful, ratio: 99%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • TCP Packets have been reduced to 100
          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
          • Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.139.144, 51.104.139.180, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 52.254.96.93, 20.54.26.129, 52.147.198.201, 13.64.90.137, 52.255.188.83
          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, bn2eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          07:50:39API Interceptor1431x Sleep call for process: Order list 20.1.2021 07u9Uxttb5ltGU.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          185.19.85.136DHL AWD 3374687886,pdf.exeGet hashmaliciousBrowse
            Documento AWB DHL 3374687886.exeGet hashmaliciousBrowse
              DHL 3374687886,PDF.exeGet hashmaliciousBrowse
                Shipping Document PL& BL 960.exeGet hashmaliciousBrowse
                  Gitco_Inquiry _List.exeGet hashmaliciousBrowse
                    HMPEX_PO201120112.exeGet hashmaliciousBrowse
                      Unimac_Project_ORDER 10177_R29.exeGet hashmaliciousBrowse
                        Y4Taap3cTy.exeGet hashmaliciousBrowse
                          JEmT3ndkrV.exeGet hashmaliciousBrowse

                            Domains

                            No context

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            DATAWIRE-ASCHFACTURAS-1-2021.vbsGet hashmaliciousBrowse
                            • 185.19.85.143
                            DHL AWD 3374687886,pdf.exeGet hashmaliciousBrowse
                            • 185.19.85.136
                            Documento AWB DHL 3374687886.exeGet hashmaliciousBrowse
                            • 185.19.85.136
                            xpmcQRN870.exeGet hashmaliciousBrowse
                            • 185.19.85.135
                            Pokana2021011357.docGet hashmaliciousBrowse
                            • 185.19.85.135
                            DHL 3374687886,PDF.exeGet hashmaliciousBrowse
                            • 185.19.85.136
                            Shipping Document PL& BL 960.exeGet hashmaliciousBrowse
                            • 185.19.85.136
                            CERERE DE COTARE.exeGet hashmaliciousBrowse
                            • 185.19.85.153
                            NEW ORDERS.exeGet hashmaliciousBrowse
                            • 185.19.85.146
                            PO#5176866.exeGet hashmaliciousBrowse
                            • 185.19.85.153
                            _Remittance_.exeGet hashmaliciousBrowse
                            • 185.19.85.133
                            i_Remittance.exeGet hashmaliciousBrowse
                            • 185.19.85.133
                            vale-remittance.exeGet hashmaliciousBrowse
                            • 185.19.85.133
                            Gitco_Inquiry _List.exeGet hashmaliciousBrowse
                            • 185.19.85.136
                            2020RFQ4883995737588375877.exeGet hashmaliciousBrowse
                            • 185.19.85.155
                            PO-IMG-00WDE21-00SW12-1102DD.exeGet hashmaliciousBrowse
                            • 185.19.85.183
                            RemittanceCopy.jsGet hashmaliciousBrowse
                            • 185.19.85.181
                            Gray_Sample_pictures001029D7FE46G.exeGet hashmaliciousBrowse
                            • 185.19.85.183
                            HMPEX_PO201120112.exeGet hashmaliciousBrowse
                            • 185.19.85.136
                            MC20200603.exeGet hashmaliciousBrowse
                            • 185.19.85.149

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order list 20.1.2021 07u9Uxttb5ltGU.exe.log
                            Process:C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):1314
                            Entropy (8bit):5.350128552078965
                            Encrypted:false
                            SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                            MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                            SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                            SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                            SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                            C:\Users\user\AppData\Local\Temp\tmpE60F.tmp
                            Process:C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1639
                            Entropy (8bit):5.1752158804126145
                            Encrypted:false
                            SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGPtn:cbhK79lNQR/rydbz9I3YODOLNdq32
                            MD5:26FDC12F4303E1CE02877707F93D1711
                            SHA1:E48011B6254C2B4689027136EA674E8560E6E371
                            SHA-256:555888AB668D8D97930E68EF519AD14F4ACA94562210A1EFB2BAF09C86512B14
                            SHA-512:FDB839496AF269748BED58D1215144494CA96CA06696A8D677CAC306D25030BC2F3209E02072DCBFF71695440BC03877F9F2356B2CD02798F5C0CA18B27DD328
                            Malicious:true
                            Reputation:low
                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                            Process:C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1392
                            Entropy (8bit):7.024371743172393
                            Encrypted:false
                            SSDEEP:24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUt4:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/f
                            MD5:E78C6686C5A1A9CB0724F84DEA9A75F0
                            SHA1:80E61D5BDC7AF293362024781DA66BEA9D370FF9
                            SHA-256:FBE0B513511C00AC3B7169E1BCFB675CFD708B249365D724269C23FAC1184967
                            SHA-512:FF3835238CAEA26D8800B56901AB962ACD2FA390F955C4A8A15B5817AAB7642D105538CF63938D218567501477FB4B23C2834F22CBC8BA0002C7BCACB2875637
                            Malicious:false
                            Reputation:low
                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                            Process:C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
                            File Type:Non-ISO extended-ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):8
                            Entropy (8bit):3.0
                            Encrypted:false
                            SSDEEP:3:6ujx:Ft
                            MD5:D57F6F8719FAFDD38D9BBB21A60AD9E0
                            SHA1:547C1104C41BF4E65F0C633D711660B39D23C553
                            SHA-256:2C684325E720A99735382667245820FC61C73CE32BE40C4BA78EA80971A3CFCF
                            SHA-512:5438C76F099D073A3AF8951B26DE379276CB1C95CF99F88AD3DAAE6DF7687000B848151E5DD22CA5BC6C6E1110B1B51DC081EE07AF9AEF42F251A314EBA33859
                            Malicious:true
                            Reputation:low
                            Preview: ...F..H
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                            Process:C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):40
                            Entropy (8bit):5.153055907333276
                            Encrypted:false
                            SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                            MD5:4E5E92E2369688041CC82EF9650EDED2
                            SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                            SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                            SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                            Process:C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):327432
                            Entropy (8bit):7.99938831605763
                            Encrypted:true
                            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                            C:\Users\user\AppData\Roaming\gIZSEI.exe
                            Process:C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):1741312
                            Entropy (8bit):7.044200529220029
                            Encrypted:false
                            SSDEEP:24576:RJEl7t/bYfqiY11a8gPgYUGwTNIg7Esbz1A6bagTRyvN:7ElBzYfqiww9gYUnTOcEsf1XJTR
                            MD5:8935C408C5650172E350ACB92E7CC659
                            SHA1:69FBB8236DC958388BDAF65B986894365D6DAE6B
                            SHA-256:5FC84F25B331A01C87E4F7652A396A83403C0EFC27CEFEEC6CEA69B954A01040
                            SHA-512:55312234692BBD6E2B60128350A32E02D2D8AFFBAA154280B5F080044039F14660114483BAAF81BAA940122AA4B04A7A247CA5DF02EF7CA993D287B8C6DFDD5E
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 14%
                            Reputation:low
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*.`..............P.................. ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......(>..........B....4..............................................w|E~}l....J.b.NtF...e.:..%.......:...w.........^.V.3l......u......1.....1x....t..3.3n..`S.l.e...lDT.4[.2?...o.U...@G..h..et..8..3..A.n....k...Z....QQ7.....H.....N(V...G.V.{.?...N.P+6...?.=.C...rU;....Wv.Js...2q.zh.C....!....;]..0.....~._.O..AsD:...pZ.H..........eD...?.Pds..T.?...p4...Yg.5.......1.5=.....Y..i.............T...h&.J....z..pa~.UF..HdK.o|..' ..<..A.........}..&u....4..."...A]..K9
                            C:\Users\user\AppData\Roaming\gIZSEI.exe:Zone.Identifier
                            Process:C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview: [ZoneTransfer]....ZoneId=0

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.044200529220029
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:Order list 20.1.2021 07u9Uxttb5ltGU.exe
                            File size:1741312
                            MD5:8935c408c5650172e350acb92e7cc659
                            SHA1:69fbb8236dc958388bdaf65b986894365d6dae6b
                            SHA256:5fc84f25b331a01c87e4f7652a396a83403c0efc27cefeec6cea69b954a01040
                            SHA512:55312234692bbd6e2b60128350a32e02d2d8affbaa154280b5f080044039f14660114483baaf81baa940122aa4b04a7a247ca5df02ef7ca993d287b8c6dfdd5e
                            SSDEEP:24576:RJEl7t/bYfqiY11a8gPgYUGwTNIg7Esbz1A6bagTRyvN:7ElBzYfqiww9gYUnTOcEsf1XJTR
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*.`..............P.................. ........@.. ....................................@................................

                            File Icon

                            Icon Hash:4fa1acacaca9254f

                            Static PE Info

                            General

                            Entrypoint:0x58dd0e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x60062AA5 [Tue Jan 19 00:41:09 2021 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:v4.0.30319
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x18dcb40x57.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x18e0000x1cfd0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1ac0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x18bd140x18be00False0.613764751737data7.07883915605IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rsrc0x18e0000x1cfd00x1d000False0.284979458513data5.23332295466IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x1ac0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x18e2200x42aaPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                            RT_ICON0x1924cc0x10828dBase III DBT, version number 0, next free block index 40
                            RT_ICON0x1a2cf40x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                            RT_ICON0x1a6f1c0x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                            RT_ICON0x1a94c40x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 1089400558, next used block 1089400558
                            RT_ICON0x1aa56c0x468GLS_BINARY_LSB_FIRST
                            RT_GROUP_ICON0x1aa9d40x5adata
                            RT_VERSION0x1aaa300x3b4data
                            RT_MANIFEST0x1aade40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Version Infos

                            DescriptionData
                            Translation0x0000 0x04b0
                            LegalCopyrightCopyright 2019 Principle Pleasure
                            Assembly Version7.20.17.0
                            InternalNameIResourceGroveler.exe
                            FileVersion7.20.17.0
                            CompanyName
                            LegalTrademarks
                            CommentsPrinciple Pleasure
                            ProductNameRecord Bgy System
                            ProductVersion7.20.17.0
                            FileDescriptionRecord Bgy System
                            OriginalFilenameIResourceGroveler.exe

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            01/19/21-07:50:47.391360TCP2025019ET TROJAN Possible NanoCore C2 60B497217451192.168.2.4185.19.85.136
                            01/19/21-07:50:54.760816TCP2025019ET TROJAN Possible NanoCore C2 60B497227451192.168.2.4185.19.85.136
                            01/19/21-07:51:01.352160TCP2025019ET TROJAN Possible NanoCore C2 60B497257451192.168.2.4185.19.85.136
                            01/19/21-07:51:07.310601TCP2025019ET TROJAN Possible NanoCore C2 60B497287451192.168.2.4185.19.85.136
                            01/19/21-07:51:13.744730TCP2025019ET TROJAN Possible NanoCore C2 60B497297451192.168.2.4185.19.85.136
                            01/19/21-07:51:20.604711TCP2025019ET TROJAN Possible NanoCore C2 60B497307451192.168.2.4185.19.85.136
                            01/19/21-07:51:27.840868TCP2025019ET TROJAN Possible NanoCore C2 60B497387451192.168.2.4185.19.85.136
                            01/19/21-07:51:34.284086TCP2025019ET TROJAN Possible NanoCore C2 60B497437451192.168.2.4185.19.85.136
                            01/19/21-07:51:41.520045TCP2025019ET TROJAN Possible NanoCore C2 60B497537451192.168.2.4185.19.85.136
                            01/19/21-07:51:47.214796TCP2025019ET TROJAN Possible NanoCore C2 60B497547451192.168.2.4185.19.85.136
                            01/19/21-07:51:53.279687TCP2025019ET TROJAN Possible NanoCore C2 60B497557451192.168.2.4185.19.85.136
                            01/19/21-07:52:00.336225TCP2025019ET TROJAN Possible NanoCore C2 60B497567451192.168.2.4185.19.85.136
                            01/19/21-07:52:06.320462TCP2025019ET TROJAN Possible NanoCore C2 60B497577451192.168.2.4185.19.85.136
                            01/19/21-07:52:13.317495TCP2025019ET TROJAN Possible NanoCore C2 60B497647451192.168.2.4185.19.85.136
                            01/19/21-07:52:18.262032TCP2025019ET TROJAN Possible NanoCore C2 60B497697451192.168.2.4185.19.85.136
                            01/19/21-07:52:25.288563TCP2025019ET TROJAN Possible NanoCore C2 60B497767451192.168.2.4185.19.85.136
                            01/19/21-07:52:31.305836TCP2025019ET TROJAN Possible NanoCore C2 60B497777451192.168.2.4185.19.85.136
                            01/19/21-07:52:37.275244TCP2025019ET TROJAN Possible NanoCore C2 60B497787451192.168.2.4185.19.85.136
                            01/19/21-07:52:44.259420TCP2025019ET TROJAN Possible NanoCore C2 60B497797451192.168.2.4185.19.85.136
                            01/19/21-07:52:51.314375TCP2025019ET TROJAN Possible NanoCore C2 60B497807451192.168.2.4185.19.85.136
                            01/19/21-07:52:57.513870TCP2025019ET TROJAN Possible NanoCore C2 60B497817451192.168.2.4185.19.85.136
                            01/19/21-07:53:04.457835TCP2025019ET TROJAN Possible NanoCore C2 60B497827451192.168.2.4185.19.85.136
                            01/19/21-07:53:11.456831TCP2025019ET TROJAN Possible NanoCore C2 60B497837451192.168.2.4185.19.85.136
                            01/19/21-07:53:17.525829TCP2025019ET TROJAN Possible NanoCore C2 60B497847451192.168.2.4185.19.85.136
                            01/19/21-07:53:24.554457TCP2025019ET TROJAN Possible NanoCore C2 60B497857451192.168.2.4185.19.85.136

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 19, 2021 07:50:47.200128078 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:47.344275951 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:47.344770908 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:47.391360044 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:47.596051931 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:47.596093893 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:47.609293938 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:47.755491972 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:47.793704987 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:47.986874104 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:47.987035990 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.100265980 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.100301027 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.100366116 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.100408077 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.100434065 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.100461960 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.100496054 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.102679968 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.142199039 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.240861893 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.240906954 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.241035938 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.241056919 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.241188049 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.241420984 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.255206108 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.255338907 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.255446911 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.255461931 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.255712986 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.255772114 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.363406897 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.363503933 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.363585949 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.363617897 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.366002083 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.366239071 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.377692938 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.377872944 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.378000021 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.378612041 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.378954887 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.379349947 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.406094074 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.406163931 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.406344891 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.406395912 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.406518936 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.406722069 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.406729937 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.406775951 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.406897068 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.407572031 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.407605886 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.408358097 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.495733023 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.495769024 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.495881081 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.496220112 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.496340036 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.497419119 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.556272030 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.556310892 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.556334972 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.556593895 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.557759047 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.557883024 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.557997942 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.558056116 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.558068991 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.558111906 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.558248043 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.558331013 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.558480024 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.558511019 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.558603048 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.558712006 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.558736086 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.558800936 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.558959007 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.559015989 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.559024096 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.559727907 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.559993029 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.560117960 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.560200930 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.560220957 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.560322046 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.560439110 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.560456991 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.560600996 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.560666084 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.560684919 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.560800076 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.560919046 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.560939074 CET497217451192.168.2.4185.19.85.136
                            Jan 19, 2021 07:50:48.561043024 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.561160088 CET745149721185.19.85.136192.168.2.4
                            Jan 19, 2021 07:50:48.561250925 CET497217451192.168.2.4185.19.85.136

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 19, 2021 07:50:33.439085960 CET6529853192.168.2.48.8.8.8
                            Jan 19, 2021 07:50:33.497582912 CET53652988.8.8.8192.168.2.4
                            Jan 19, 2021 07:50:34.822033882 CET5912353192.168.2.48.8.8.8
                            Jan 19, 2021 07:50:34.878926039 CET53591238.8.8.8192.168.2.4
                            Jan 19, 2021 07:50:47.090461969 CET5453153192.168.2.48.8.8.8
                            Jan 19, 2021 07:50:47.152731895 CET53545318.8.8.8192.168.2.4
                            Jan 19, 2021 07:50:53.973232031 CET4971453192.168.2.48.8.8.8
                            Jan 19, 2021 07:50:54.034387112 CET53497148.8.8.8192.168.2.4
                            Jan 19, 2021 07:50:59.614392042 CET5802853192.168.2.48.8.8.8
                            Jan 19, 2021 07:50:59.664474964 CET53580288.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:01.139107943 CET5309753192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:01.195585012 CET53530978.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:04.887340069 CET4925753192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:05.811196089 CET6238953192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:05.875787020 CET4925753192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:06.815979004 CET6238953192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:06.875248909 CET53623898.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:06.876454115 CET4925753192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:06.937066078 CET53492578.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:07.087359905 CET4991053192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:07.135196924 CET53499108.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:13.528394938 CET5585453192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:13.584745884 CET53558548.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:20.350526094 CET6454953192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:20.406888962 CET53645498.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:21.798362970 CET6315353192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:21.855885029 CET53631538.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:22.514637947 CET5299153192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:22.613488913 CET53529918.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:23.486267090 CET5370053192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:23.566497087 CET53537008.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:23.773998976 CET5172653192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:23.838339090 CET53517268.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:24.570322990 CET5679453192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:24.626552105 CET53567948.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:25.499701977 CET5653453192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:25.556174994 CET53565348.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:26.501979113 CET5662753192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:26.552752018 CET53566278.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:27.635762930 CET5662153192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:27.662904978 CET6311653192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:27.694797039 CET53566218.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:27.719813108 CET53631168.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:29.231795073 CET6407853192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:29.290724993 CET53640788.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:31.755481958 CET6480153192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:31.811820030 CET53648018.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:33.436482906 CET6172153192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:33.492866993 CET53617218.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:34.058247089 CET5125553192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:34.119842052 CET53512558.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:34.372250080 CET6152253192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:34.433628082 CET53615228.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:37.465224981 CET5233753192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:37.523499966 CET53523378.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:37.844856024 CET5504653192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:37.892827034 CET53550468.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:38.699158907 CET4961253192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:38.747292995 CET53496128.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:39.525033951 CET4928553192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:39.573904991 CET53492858.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:41.164343119 CET5060153192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:41.217613935 CET53506018.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:46.980333090 CET6087553192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:47.039541960 CET53608758.8.8.8192.168.2.4
                            Jan 19, 2021 07:51:53.068682909 CET5644853192.168.2.48.8.8.8
                            Jan 19, 2021 07:51:53.127065897 CET53564488.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:00.094484091 CET5917253192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:00.155435085 CET53591728.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:06.075536013 CET6242053192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:06.131798983 CET53624208.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:07.854959011 CET6057953192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:07.902884007 CET53605798.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:09.874206066 CET5018353192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:09.946219921 CET53501838.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:10.103743076 CET6153153192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:10.154392958 CET53615318.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:10.950565100 CET4922853192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:11.001297951 CET53492288.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:11.879450083 CET5979453192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:11.935806990 CET53597948.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:12.763459921 CET5591653192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:12.811623096 CET53559168.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:13.109258890 CET5275253192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:13.170758009 CET53527528.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:13.538729906 CET6054253192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:13.597917080 CET53605428.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:14.342592955 CET6068953192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:14.401134014 CET53606898.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:17.065999031 CET6420653192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:17.113924980 CET53642068.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:17.869931936 CET5090453192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:17.918083906 CET53509048.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:18.079467058 CET5752553192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:18.135664940 CET53575258.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:18.747370958 CET5381453192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:18.795670033 CET53538148.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:19.614914894 CET5341853192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:19.662883997 CET53534188.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:20.412235022 CET6283353192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:20.460144997 CET53628338.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:21.187096119 CET5926053192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:21.237788916 CET53592608.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:22.171420097 CET4994453192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:22.219074965 CET53499448.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:22.950644016 CET6330053192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:22.998507977 CET53633008.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:25.099489927 CET6144953192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:25.155678034 CET53614498.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:31.103212118 CET5127553192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:31.159454107 CET53512758.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:37.087351084 CET6349253192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:37.149038076 CET53634928.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:44.087116957 CET5894553192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:44.143927097 CET53589458.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:51.129041910 CET6077953192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:51.177094936 CET53607798.8.8.8192.168.2.4
                            Jan 19, 2021 07:52:57.229067087 CET6401453192.168.2.48.8.8.8
                            Jan 19, 2021 07:52:57.288357973 CET53640148.8.8.8192.168.2.4
                            Jan 19, 2021 07:53:04.241309881 CET5709153192.168.2.48.8.8.8
                            Jan 19, 2021 07:53:04.297863007 CET53570918.8.8.8192.168.2.4
                            Jan 19, 2021 07:53:11.266027927 CET5590453192.168.2.48.8.8.8
                            Jan 19, 2021 07:53:11.328566074 CET53559048.8.8.8192.168.2.4
                            Jan 19, 2021 07:53:17.334252119 CET5210953192.168.2.48.8.8.8
                            Jan 19, 2021 07:53:17.392471075 CET53521098.8.8.8192.168.2.4
                            Jan 19, 2021 07:53:24.345340014 CET5445053192.168.2.48.8.8.8
                            Jan 19, 2021 07:53:24.403909922 CET53544508.8.8.8192.168.2.4
                            Jan 19, 2021 07:53:29.325831890 CET4937453192.168.2.48.8.8.8
                            Jan 19, 2021 07:53:29.384881020 CET53493748.8.8.8192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Jan 19, 2021 07:50:47.090461969 CET192.168.2.48.8.8.80xdb52Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:50:53.973232031 CET192.168.2.48.8.8.80x4dc3Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:01.139107943 CET192.168.2.48.8.8.80x5504Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:07.087359905 CET192.168.2.48.8.8.80xd323Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:13.528394938 CET192.168.2.48.8.8.80x8d5aStandard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:20.350526094 CET192.168.2.48.8.8.80xd67bStandard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:27.635762930 CET192.168.2.48.8.8.80x9dbdStandard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:34.058247089 CET192.168.2.48.8.8.80xe9e4Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:41.164343119 CET192.168.2.48.8.8.80xb69eStandard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:46.980333090 CET192.168.2.48.8.8.80x5e8eStandard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:53.068682909 CET192.168.2.48.8.8.80xdf2cStandard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:00.094484091 CET192.168.2.48.8.8.80xf2c9Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:06.075536013 CET192.168.2.48.8.8.80x9fbaStandard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:13.109258890 CET192.168.2.48.8.8.80xceb4Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:18.079467058 CET192.168.2.48.8.8.80x1eccStandard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:25.099489927 CET192.168.2.48.8.8.80xdec2Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:31.103212118 CET192.168.2.48.8.8.80x2a85Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:37.087351084 CET192.168.2.48.8.8.80x3011Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:44.087116957 CET192.168.2.48.8.8.80x3d4dStandard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:51.129041910 CET192.168.2.48.8.8.80x3699Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:57.229067087 CET192.168.2.48.8.8.80x7f79Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:53:04.241309881 CET192.168.2.48.8.8.80xa1Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:53:11.266027927 CET192.168.2.48.8.8.80xfb68Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:53:17.334252119 CET192.168.2.48.8.8.80x71ebStandard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:53:24.345340014 CET192.168.2.48.8.8.80xad5Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)
                            Jan 19, 2021 07:53:29.325831890 CET192.168.2.48.8.8.80x9360Standard query (0)cool.gotdns.chA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Jan 19, 2021 07:50:47.152731895 CET8.8.8.8192.168.2.40xdb52No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:50:54.034387112 CET8.8.8.8192.168.2.40x4dc3No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:01.195585012 CET8.8.8.8192.168.2.40x5504No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:07.135196924 CET8.8.8.8192.168.2.40xd323No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:13.584745884 CET8.8.8.8192.168.2.40x8d5aNo error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:20.406888962 CET8.8.8.8192.168.2.40xd67bNo error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:27.694797039 CET8.8.8.8192.168.2.40x9dbdNo error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:34.119842052 CET8.8.8.8192.168.2.40xe9e4No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:41.217613935 CET8.8.8.8192.168.2.40xb69eNo error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:47.039541960 CET8.8.8.8192.168.2.40x5e8eNo error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:51:53.127065897 CET8.8.8.8192.168.2.40xdf2cNo error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:00.155435085 CET8.8.8.8192.168.2.40xf2c9No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:06.131798983 CET8.8.8.8192.168.2.40x9fbaNo error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:13.170758009 CET8.8.8.8192.168.2.40xceb4No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:18.135664940 CET8.8.8.8192.168.2.40x1eccNo error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:25.155678034 CET8.8.8.8192.168.2.40xdec2No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:31.159454107 CET8.8.8.8192.168.2.40x2a85No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:37.149038076 CET8.8.8.8192.168.2.40x3011No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:44.143927097 CET8.8.8.8192.168.2.40x3d4dNo error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:51.177094936 CET8.8.8.8192.168.2.40x3699No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:52:57.288357973 CET8.8.8.8192.168.2.40x7f79No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:53:04.297863007 CET8.8.8.8192.168.2.40xa1No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:53:11.328566074 CET8.8.8.8192.168.2.40xfb68No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:53:17.392471075 CET8.8.8.8192.168.2.40x71ebNo error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:53:24.403909922 CET8.8.8.8192.168.2.40xad5No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)
                            Jan 19, 2021 07:53:29.384881020 CET8.8.8.8192.168.2.40x9360No error (0)cool.gotdns.ch185.19.85.136A (IP address)IN (0x0001)

                            Code Manipulations

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: Order list 20.1.2021 07u9Uxttb5ltGU.exe PID: 6148 Parent PID: 5932

                            General

                            Start time:07:50:37
                            Start date:19/01/2021
                            Path:C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe'
                            Imagebase:0xf0000
                            File size:1741312 bytes
                            MD5 hash:8935C408C5650172E350ACB92E7CC659
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.662843036.000000000276B000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.664198703.0000000003F65000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            Reputation:low

                            Analysis Process: schtasks.exe PID: 6124 Parent PID: 6148

                            General

                            Start time:07:50:41
                            Start date:19/01/2021
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gIZSEI' /XML 'C:\Users\user\AppData\Local\Temp\tmpE60F.tmp'
                            Imagebase:0xa40000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: conhost.exe PID: 4612 Parent PID: 6124

                            General

                            Start time:07:50:42
                            Start date:19/01/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff724c50000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: Order list 20.1.2021 07u9Uxttb5ltGU.exe PID: 5040 Parent PID: 6148

                            General

                            Start time:07:50:42
                            Start date:19/01/2021
                            Path:C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\Order list 20.1.2021 07u9Uxttb5ltGU.exe
                            Imagebase:0x6c0000
                            File size:1741312 bytes
                            MD5 hash:8935C408C5650172E350ACB92E7CC659
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Reputation:low

                            Disassembly

                            Code Analysis

                            Reset < >